.arpa, rDNS and a few magical ICMP hacks

41 points by calvin

fanf

This is fun :-)

The reverse DNS has a messy history. Originally RFC 883 had a top-level IN-ADDR domain. That became IN-ADDR.ARPA in RFC 973 which lists a bunch of bug fixes.

Some pedantic notes:

Strictly speaking the target of a PTR record should be a host name, which is a domain name that obeys syntactic restrictions and which resolves to one or more A or AAAA records.

But you can put any DNS name in there, with any bytes you like, including emoji encoded with UTF-8 (you don’t have to use punycode if you are ignoring compatibility constraints). The footnote says they are limited by PowerDNS’s restrictions; other DNS servers let you put any old thing in a DNS name.
The textual zone file format is a standard specified in RFC 1035. It’s a mistake to blame BIND for the format (though djbdns and PowerDNS make that mistake).
The link about traceroute being a hack was previously discussed here.

The .int vs .arpa thing was awkward. It became clear that in-addr.arpa would never move to ip4.int, and that there was an awkward conflict in the making over who gets to choose names under .int, the UN or the IETF? So .int became purely for international treaty organizations and the IETF gets .arpa for itself.

One of the fun non-UN .int domains was tpc.int, which was used for an email-to-fax service. It used a horrible hacked version of BIND4 to convert phone numbers like 441223337733.iddd.tpc.int into little-endian delegatable form like …. 3.2.2.1.4.4.iddd.tpc.int. So it suffered from appalling technical debt, as well as spam, lack of volunteers running fax gateways, and the general decline of fax.

johnklos

This is great fun! I was just telling someone recently that one can fake ICMP hops, but I didn’t remember how. Now I can just send a link.

I’m looking forward to trying a few things with reverse zones myself :)

fujiapple

I use this technique [1] for running integration tests on GitHub CI (where external ICMP is blocked). The tests run a simulator as a TUN device which fakes ICMP responses for fake hosts based on pre-canned network configuration.

https://github.com/fujiapple852/trippy/tree/master/crates/trippy-core/tests/sim

st3fan

[With Bug Bounty Hat On]Yes, please keep your reverse DNS neatly up to date to make it super easy to recon your network space and find out what you host.[/With Bug Bounty Hat On]

I recently wrote a tool to quickly reverse a whole CIDR. It does a /16 in a few minutes and pointing that tool at some organizations (with bug bounty programs of course) makes it extremely easy to map out what they host, where they host it, internal domains, software products they use, etc. A literal goldmine for bounty hunters.

It is better to assume that in-add.arpa exists for historical reasons and is not touched anymore. Maybe just use it to up the score of your mail server or to give equipment in a traceroute a nice name. But other than that there are very few other legit reasons to expose details about your infrastructure.

Be careful :-)

kwas

The true purpose of in-add.arpa is swag IRC vhost masks.
DustyFuzzy

I find certificate transparency abused a lot more for finding what is being hosted and where. Regardless, I’d much rather be open about what I’m running so I’ll get hit with an automatic begbounty if I forget to update, instead of finding out when someone starts digging through my network.

dmonay

The post mentions that Cloudflare’s DDoS protection “is in fact just a global MitM attack” - can someone explain how and why this is the case?

koala

See the comments on https://lobste.rs/s/tzjxrc/password_reuse_is_rampant_nearly_half.

stepbrobd

I just tried adding a CNAME record with CF on my .arpa domain but it says “This hostname is not covered by a certificate.” When trying to add the .arpa domain to CF Pages it errored “its a part of banned domain”. Not really sure how you were able to get a cert but it’s indeed a very interesting read!