Hello Michael,
Michael Tremer:
Hi,
On Sun, 2016-01-10 at 17:25 +0100, IT Superhack wrote:
Hello Michael, hello Matthias,
Michael Tremer:
Just out of curiosity, why do you find this information so helpful?
As Matthias said already, is is more a "nice to have" than something which is seriously needed.
This is not too much of an argument. My argument against this is that it brings down page load times because of a not too useful information.
I wrote this patch because a friend of mine in France discovered that his ISP assigns DNS servers from Australia and Great Britain, which was slowing down DNS resolving a lot.
I get that and this is actually a pretty good one.
That only leaves resolvers like 8.8.8.8 which will show "US" but actually are located at many places around the world. Let's hope that people don't get the wrong thing from the flag - or actually start changing their DNS servers to something else :)
Therefore I thougt it might be useful to see in which countries your DNS servers are located, just in case you didn't set some by your own.
It is sometimes. Although geographic location doesn't mean that it is close on the network.
A system in GB is probably not an issue. Australia actually is a bit far away.
The problem here was something else: A couple of months ago, his ISP assigned DNS servers in France, which worked quite well and belonged to the ISP, according to whois information.
The list of assigned DNS servers must have changed somewhere in the meantime, and he still does not know why since the ISP does not answer related questions.
So, if your ISP suddenly assigns you DNS servers in a very different location than it has done long before, you know that something might be wrong here. (The Quantumhand-program of the NSA lists "DNS injection" as a possible method to impersonate a server - why not even change the DNS server to one they own? Would be much easier...) [http://securityaffairs.co/wordpress/23129/hacking/quantumhand-nsa-impersonat...]
In general, adding geographic information to IP addresses is very helpful in my point of view because anomalies can be detected much better and more precise firewall rules are possible.
I don't get why.
For example, many active connections from an internal host to china, korea or an african country might indicate that a host is infected. If someone need to call ipinfo.cgi for every IP he/she/it does not know, it will end in a nightmare...
However, some thing might still be improved: For example, the ipinfo.cgi file shows the IP address, the rDNS name, whois information, but not the appropriate flag. So, if someone scrolls through the connection tracking page, he/she/it sees the source and destination IPs of any active (and recently closed) connection. At the moment, there is no way of telling which country an IP belongs to - without using additional web services, of course - since the flag is shown neither at the connection tracking page nor at the ipinfo.cgi page. This isn't very helpful, is it?
The ipinfo.cgi page shows the whois information for an IP address. That may contain the name and HQ location of a company this IP address belongs to, but that does *not* mean that the host is actually located in that country - and almost certainly not at that address.
That's right, GeoIP shows the location of the server and not those of its owner.
But looking at this whois output:
CariNet, Inc. NET-26 (NET-71-6-158-128-1) 71.6.158.128 - 71.6.158.191 CariNet, Inc. CARINET-5 (NET-71-6-128-0-1) 71.6.128.0 - 71.6.255.255
Not very helpful in first place, is it? ;-)
The GeoIP database is a completely different thing.
Judging by the location of the host does make any sense if you care about security.
Basically, yes. As I mentioned above, GeoIP makes more sense to detect anomalies and to allow, e.g., only VPN access from countries which are necessary.
That is basically the motivation behind the two patches I submitted recently.
Best regards, Timmothy Wilson
Best regards, Timmothy Wilson