Re: [SkullSpace-Discuss] Weird SSH log entry while connecting from Skullspace...

Sat, 15 Feb 2014 12:15:49 -0800 

'Twas me, gentlemen. I haven't logged in for quite a while.


On Thu, Feb 13, 2014 at 2:34 PM, Theo Baschak <[email protected]>wrote:

> Reverse DNS as Mak and Alex have said has been delegated from Voi (I did
> it 6-8 months ago) to Skullspace directly at the nameserver level --
> co-incidentally using a $GENERATE much like below.
>
> dig with the +trace shows this delegation top-down from . thru ns1-wp and
> ns2-wp.voinetworks.net and finally dns.skullspace.ca and dns.nepharia.org.
>
> # dig -x 206.220.196.50 +trace
>
> ; <<>> DiG 9.8.4-P2 <<>> -x 206.220.196.50 +trace
> ;; global options: +cmd
> .                       275501  IN      NS      a.root-servers.net.
> .                       275501  IN      NS      e.root-servers.net.
> .                       275501  IN      NS      g.root-servers.net.
> .                       275501  IN      NS      l.root-servers.net.
> .                       275501  IN      NS      m.root-servers.net.
> .                       275501  IN      NS      h.root-servers.net.
> .                       275501  IN      NS      j.root-servers.net.
> .                       275501  IN      NS      f.root-servers.net.
> .                       275501  IN      NS      k.root-servers.net.
> .                       275501  IN      NS      b.root-servers.net.
> .                       275501  IN      NS      i.root-servers.net.
> .                       275501  IN      NS      c.root-servers.net.
> .                       275501  IN      NS      d.root-servers.net.
> ;; Received 512 bytes from 206.220.196.254#53(206.220.196.254) in 879 ms
>
> in-addr.arpa.           172800  IN      NS      e.in-addr-servers.arpa.
> in-addr.arpa.           172800  IN      NS      a.in-addr-servers.arpa.
> in-addr.arpa.           172800  IN      NS      b.in-addr-servers.arpa.
> in-addr.arpa.           172800  IN      NS      d.in-addr-servers.arpa.
> in-addr.arpa.           172800  IN      NS      f.in-addr-servers.arpa.
> in-addr.arpa.           172800  IN      NS      c.in-addr-servers.arpa.
> ;; Received 421 bytes from 192.5.5.241#53(192.5.5.241) in 684 ms
>
> 206.in-addr.arpa.       86400   IN      NS      r.arin.net.
> 206.in-addr.arpa.       86400   IN      NS      t.arin.net.
> 206.in-addr.arpa.       86400   IN      NS      u.arin.net.
> 206.in-addr.arpa.       86400   IN      NS      v.arin.net.
> 206.in-addr.arpa.       86400   IN      NS      w.arin.net.
> 206.in-addr.arpa.       86400   IN      NS      x.arin.net.
> 206.in-addr.arpa.       86400   IN      NS      y.arin.net.
> 206.in-addr.arpa.       86400   IN      NS      z.arin.net.
> ;; Received 181 bytes from 199.253.183.183#53(199.253.183.183) in 93 ms
>
> 196.220.206.in-addr.arpa. 86400 IN      NS      ns-wp2.voinetworks.net.
> 196.220.206.in-addr.arpa. 86400 IN      NS      ns-wp1.voinetworks.net.
> ;; Received 102 bytes from 192.42.93.32#53(192.42.93.32) in 53 ms
>
> 50.196.220.206.in-addr.arpa. 3600 IN    NS      dns.skullspace.ca.
> 50.196.220.206.in-addr.arpa. 3600 IN    NS      dns.nepharia.org.
> ;; Received 106 bytes from 206.220.196.222#53(206.220.196.222) in 36 ms
>
> 50.196.220.206.in-addr.arpa. 60 IN      PTR     unnamed.skullspace.ca.
> 196.220.206.in-addr.arpa. 60    IN      NS      dns.nepharia.org.
> 196.220.206.in-addr.arpa. 60    IN      NS      dns.skullspace.ca.
> ;; Received 160 bytes from 206.220.196.53#53(206.220.196.53) in 2 ms
>
>
> Not to go overly anal on the RFC's and whatnot :-) (RFC1035, RFC1912
> section 2.1) .. but hosts really should have a matching forward DNS record.
> Its better to have no PTR than to have a PTR with no matching A -- it
> causes loud messages like this in many services (ssh, smtp, etc).
>
> If having PTRs on every IP is really important (lets be honest :-), it
> looks nice), $GENERATE in Bind can be really handy to make multiple
> (contiguous) unique PTRs and their associated matching A's.
>
> ex:
> in-addr.arpa zone(s)
> $GENERATE 2-64 $ IN PTR    h$-193-220-206.skullspace.ca.
>
> skullspace.ca zone
> $GENERATE 2-64  h$-193-220-206.skullspace.ca.  IN A  206.220.193.$
>
> --
> Theo
>
>
> On Feb 13, 2014, at 12:05 PM, Alex Weber <[email protected]> wrote:
>
> > Oh, I thought VOI was in control of our PTR records. My bad!
> >
> > On Thu, Feb 13, 2014 at 11:35:01AM -0600, Mak Kolybabi wrote:
> >> On 2014-02-13 11:34, Kevin wrote:
> >>> Feb 11 21:49:20 zimbra sshd[27844]: reverse mapping checking
> getaddrinfo for unnamed.skullspace.ca [206.220.196.50] failed - POSSIBLE
> BREAK-IN ATTEMPT!
> >>>
> >>> Shouldn't there be a DNS entry for our IP addresses PTR record?
> >>
> >> That is the PTR record, literally 'unnamed.skullspace.ca'.
> >> Servers owners that have static IPs and ask me to set them have custom
> PTR records.
> >> Everything else is 'unnamed'.
> >>
> >> --
> >> Mak Kolybabi
> >> <[email protected]>
> >>
> >> _______________________________________________
> >> SkullSpace Discuss Mailing List
> >> Help: http://www.skullspace.ca/wiki/index.php/Mailing_List#Discuss
> >> Archive: https://groups.google.com/group/skullspace-discuss-archive/
> > _______________________________________________
> > SkullSpace Discuss Mailing List
> > Help: http://www.skullspace.ca/wiki/index.php/Mailing_List#Discuss
> > Archive: https://groups.google.com/group/skullspace-discuss-archive/
>
> _______________________________________________
> SkullSpace Discuss Mailing List
> Help: http://www.skullspace.ca/wiki/index.php/Mailing_List#Discuss
> Archive: https://groups.google.com/group/skullspace-discuss-archive/
>

_______________________________________________
SkullSpace Discuss Mailing List
Help: http://www.skullspace.ca/wiki/index.php/Mailing_List#Discuss
Archive: https://groups.google.com/group/skullspace-discuss-archive/

Reply via email to