Re: Recognizing remote IP in shared connections

2017-03-01 Thread Alex Dupuy via bind-users
> for policies purpuose, we need to know which remote site is resolving a Bind 
> 9.x public DNS Server.
> The problem occurs when some carriers "share" the same IP address between 
> more customers and they surf behind a shared NAT.
> 
> Is there a way?

You could use DNS Cookies (https://tools.ietf.org/html/rfc7873) to identify 
different clients using the same IP address. However, this will not tell you 
their "remote site" or location or "real" IP address.

Furthermore, DNS Cookies support is very thin on the ground, and few clients 
have the ability to send them (even fewer will actually do so).
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Recognizing remote IP in shared connections

2017-02-28 Thread Matus UHLAR - fantomas

On 28.02.17 14:35, Job wrote:

for policies purpuose, we need to know which remote site is resolving a Bind 
9.x public DNS Server.
The problem occurs when some carriers "share" the same IP address between more 
customers and they surf behind a shared NAT.

Is there a way? Perhaps with DNS crypt o dnssec?


not with dnssed. You can configure DNS client and DNS server to communicate
using encryption (and thus verifying each other), but in such case, VPN is
much better to achieve whatever you want.

Otherwise, you can not do that. DNS servers don't give* information about
clients they are forwarding for. Neither do DNS clients say that.


Also - since the DNS uses caching, answer provided to a remote client would
be provided to multipld DNS clients accessing the cache.

*To be more precise, there IS an extension to indicate clients subnet but
 it's not usable for this purpose.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I feel like I'm diagonally parked in a parallel universe. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Recognizing remote IP in shared connections

2017-02-28 Thread G.W. Haywood

Hi there,

On Tue, 28 Feb 2017, Job wrote:


for policies purpuose, we need to know which remote site is resolving a Bind 
9.x public DNS Server.
The problem occurs when some carriers "share" the same IP address between more 
customers and they surf behind a shared NAT.


Sounds like a trial.


Is there a way? Perhaps with DNS crypt o dnssec?


IPv6?

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Recognizing remote IP in shared connections

2017-02-28 Thread Alberto Colosi
sorry, let me only to add a comment to previous mail


if who make the query use a DNS Forwarding System (like use ISP DNS as 
forwarders or direct resolver) you'll only have ISP DNS on last forward action




From: bind-users  on behalf of Job 

Sent: Tuesday, February 28, 2017 2:35 PM
To: bind-users@lists.isc.org
Subject: Recognizing remote IP in shared connections

Hi,

for policies purpuose, we need to know which remote site is resolving a Bind 
9.x public DNS Server.
The problem occurs when some carriers "share" the same IP address between more 
customers and they surf behind a shared NAT.

Is there a way? Perhaps with DNS crypt o dnssec?

Thank you!
/F
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - Internet Systems 
Consortium
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - Internet Systems 
Consortium
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recognizing remote IP in shared connections

2017-02-28 Thread Alberto Colosi
Hi, let me to say that is a bit strange what you say. If you mean a NAT many to 
1 can't be reached in reverse way but "many" can only exit and receive reply 
packets for esthabilished session or udp related packet


if you mean for example an application server that give as output different web 
content reading the name after domain name , is possible but ever is one server 
and not many to 1


if you mean that several nets are shared to one single IP address (NAT) , no, 
you can only know the IP of application or appliance that perform NAT . You 
can't know MAC or IP after a NAT (NAT is even a route action that encapsulate 
IP packet inside another IEEE 802.2 packet with the MAC address from who 
perform the NAT (extrnal interface)


over it in all case, bind can log QUERIES , check CHANNELS for LOG action 
inside BIND documentation


you can log DNS queries but is so a large log file (as network accounting, 
can't be live for "too much".



Alberto Colosi

IT NetWork & Security Architect Engineer




From: bind-users  on behalf of Job 

Sent: Tuesday, February 28, 2017 2:35 PM
To: bind-users@lists.isc.org
Subject: Recognizing remote IP in shared connections

Hi,

for policies purpuose, we need to know which remote site is resolving a Bind 
9.x public DNS Server.
The problem occurs when some carriers "share" the same IP address between more 
customers and they surf behind a shared NAT.

Is there a way? Perhaps with DNS crypt o dnssec?

Thank you!
/F
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - Internet Systems 
Consortium
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - Internet Systems 
Consortium
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users