why does pinging in alpine always come back with dnsrsearch's ip - alpine-linux

Pinging in alpine shell would always get back a reply. for eg.
ping junk_junnn
64 bytes from 198.105.244.228: seq=0 ttl=37 time=0.589 ms
64 bytes from 198.105.244.228: seq=1 ttl=37 time=1.428 ms
Is there a way to find if the given string is not a valid network resource other than getting reply from the dnrsearch.com

This is not a normal behaviour on Alpine Linux. It may be caused by some incorrect configuration of your system or network.
I encountered same behaviour some time ago, but don’t remember what was the cause.

You are pinging an unknown host which is being forwarded out to your normal DNS resolver. An external DNS resolver is returning one of their own IP's for the unknown address.
This is normally done by your ISP or sometimes the company that hosts the top level domain to provide their own web site to direct web users somewhere (normally with paid ads/search).
Use Google's 8.8.8.8/8.8.4.4 DNS servers or someone like OpenDNS to avoid your resolver returning the false positives. There's not much you can do about TLD's doing other than running a custom DNS server.

Related

How to Confirm PostgreSQL on Ubuntu VM is communicating with External Server for Updates

I have an Ubuntu VM installed on a client's VMware system. Recently, the client's IT informed us that his firewall has been detecting consistent potential port scans to our VM's internal IP address (coming from 87.238.57.227). He asked if this was part of a known package update process on our VM.
He sent us a firewall output where we can see several instances of the port scan, but there are also instances of our Ubuntu VM trying to communicate back to the external server on port 37258 (this is dropped by the firewall).
Based on a google lookup, the hostname of the external IP address is "feris.postgresql.org", with the ASN pointing to a European company called Redpill-Linpro. As far as I can tell, they offer IT consulting services, specializing in open source software (like PostgreSQL, which is installed on our VM). I have never heard of them before though and have no idea why our VM would be communicating with them or vice-versa. I'm also not sure if I'm interpreting the IP lookup information correctly: https://ipinfo.io/87.238.57.227
I'm looking for a way to confirm or disprove that this is just our VM pinging for a standard postgres update. If that's the case I'd like to restrict this behaviour. We would prefer to do these types of updates manually and limit the communication outside of the VM to what is strictly necessary for the functionality of our application.
Update
I sent an email to Redpill's abuse account. They responded quickly saying that the server should not be port scanning anyone and if it appears that way, something is wrong.
The server is part of a cluster of machines that serves apt.postgresql.org among other postgres download sites. I don't think we have anything like ansible or puppet installed that would automatically check for updates but I will look into that to make sure. I'm wondering if Ubuntu reaching out to update the MOTD with the number of available packages would explain why our VM is trying to reach out to the external postgres server?
The abuse rep said in any case there should only be outgoing connections from the VM, not incoming. He asked for some additional info so I will keep communicating with him and try to update this post accordingly
My communication with the client's IT dropped off so I did not get a definitive answer on this, but I'll provide some new details:
I reached out to the abuse email for Redpill-Linpro. He got back to me and confirmed the server corresponding to the detected IP address is part of a cluster that hosts postgres download sites, including apt.postgresql.org. He was surprised to learn we had detected a port scan from their server and seems eager to figure out why that is happening.
He asked if the client IT could pass along some necessary info for them to set up tracking on that server. But the client IT never got back to me. I think he was satisfied that it wasn't malicious and stopped pursuing it.
Here's one of the messages the abuse rep sent me that may be relevant:
That does look a lot like the tcp to the apt download server yes. It's
strange that your firewall reports that many incoming connections, but
they could be fallout from some connection tracking that's not
operating as intended. The timing appears to be matching up more or
less perfectly. And there should definitely not be any ping-back
connections from it.
Since you appear to be using the http version of the server (and not https) bringing the data in cleartext, they should be able to just
dump the TCP connection contents and verify exactly what it does. But
I bet they are going to see a number of http requests initiated by the
apt client that is checking for updates.

.gethostbyaddr() does not work on all devices. Why? (Python)

I wrote a script that goes through all local IPs in the '0' network (192.168.0.*).
I use a loop with socket.gethostbyaddr(ip_modified_by_the_loop_each_time).
The loop returns me 3 devices their hostnames.
Now, I found that it does not find 4 devices (at least).
It does wind my Windows Laptop, not my Android Phone. It does find
one MacBook, not the iMac, not the other MacBook. It also does not
find any phone.
I know that all the devices are online and have an IPv4 address.
I can ping them very well, it responds just fine. But when I use socket.gethostbyaddr(ip_modified_by_the_loop_each_time) it throws an error.
I used a try:/except: statement to get around the error, but it still can not find my phone by IP and get the hostname, but I know it is there.
I am using python 3.3
Why is that happening, how to fix that?
Thank you.
gethostbyaddr tries to find out the hostname for a given IP address by using either locally stored information (i.e. /etc/hosts) or doing a reverse DNS lookup. The result does not depend on the host being online or not, they only depend on the availability of these information.
And these information can also not be trusted. For example the DNS operator of a domain could add the following records:
test.example.com A public.ip.of.test
public.ip.of.test PTR localhost.
In this case a lookup (gethostbyname) of test.example.com would return the IP address of this host while a reverse lookup (gethostbyaddr) would claim that the hostname is localhost. And if the PTR record would be missing gethostbyaddr would fail, even if the host is online.
See also wikipedia: reverse dns lookup.

Turning PC Into A Server

Sorry if I have this in the wrong community but I'm hoping one of you can help me out anyway.
I have a web hosting account with a UK company who I'm happy with, but I'd like to set up a little hosting account from my laptop, just to see if it's possible and easy enough to do really.
Trouble is I've been doing a lot of research online but coming up empty whenit comes to more of a "complete guide". Do any of you know of a good resource for setting up a home server for publishing "Live" websites with custom TLD domain names? I have a localhost server running and files hosted on there but I'm really looking for help with the IP and DNS parts for the custom domains.
For reference, I have a machine running Win7, Appserv 2.5.10, UK broadband and a .co.uk domain name registered with 123-reg.
Any help would be hugely appreciated.
You'll need to:
Point your domain to your laptop.
If you get static public IP address from your ISP, then you can just point the A record to this IP address.
Where do I set this A record? Almost all domain registrars give you a nameserver for free. You point your domain to their nameservers (generally ns1.somedomain.com and ns2.samedomain.com etc.). In the nameserver config, create a A (stands for authoritative) record and put in your static IP address.
What if my ISP doesn't give me an static IP address? This is where services like dyndns come into picture. They give you an agent that you'll install on your laptop, it detects the change in IP address and automatically updates the Nameservers accordingly. There are some free variants of dyndns as well if you don't want to spend money on this.
But my laptops IP address is something like 192.168.x.x and my site runs on localhost (127.0.0.1)? Your laptop is most likely NATed. Think about your public IP address to be that of your router. You will need to forward any connection coming to your router on port 80 or 443 to your laptop's (192.168.x.x) corresponding ports. This is called Port-Forwarding and all routers support this. Port-Forwarding is done by logging on to the admin interface of your router (Many times its at http://192.168.0.1 or http://192.168.1.1).
But again my application is accessible at localhost? You need to make sure your apache/nginx listens on 0.0.0.0 or atleast 192.168.x.x interface. This is how computers outside your laptop will be able to make connection to your laptop on port 80/443.

Can my ip address be taken as spammer for using Net::DNS too much?

I have to check the validity of around 1 million email addresses, I don't care if the email is "deliverable", I just want to check if the structure is right and the domain exists. To accomplish this I'm using Email::Valid module with the option -mxcheck which use Net::DNS module as well, but I'm afraid of to be taken as spammer for using it too much (as happen with nslooukup utility). So, can this happen with Net::DNS module?
Hope you can help me.
Regards
Net::DNS does the same thing as nslookup and other tools, it sends a DNS query to a DNS server and processes the reply. I don't know which DNS server you used with nslookup but with both nslookup and Net::DNS you can specify the DNS server to use and maybe you'll find some DNS server which does not consider your activity as spamming. As an example you might try the DNS server provided by google: 8.8.8.8.
Alternatively you can setup your own recursive DNS server on the local machine it let this server resolve all the queries and cache the results. When setup without forwarder the server will not use your ISP's DNS server to resolve all queries but instead ask the DNS servers responsible for the specific domains.
In case you did not understand any of these recommendations I would suggest to have a look at how DNS works.

Get Azure public IP address from deployed app

I'm implementing the PASV mode in a FTP server, and I send to the client the IP address and port of the data end point. This is stupid because the IP is actually where the client is already connecting, so there ire two options:
How could I get the public IP
address from a given instance? Not
the VIP, but the public one.
How could I get the original target
IP address that the user used from
a Socket object? Considering routers and load balancers in the middle :P
An answer to any of this questions would do, although there is another way that could work... may I get the public IP address doing a DNS look up of myapp.cloudapp.net?
A fourth option would be use the Azure Management API library... but, too much trouble :P.
Cheers.
Not sure if you ever figured this out, but here's my take on it. The individual role instances are all behind the Windows Azure load balancer and have no idea what the original, outward-facing IP address is. Also, there's no Management API call that returns IP address - Get Deployment returns the URL but not the IP address. I think the only option is going to be a dns lookup.
Having said that: I don't think you can host a passive ftp server in your role instance (at least not elegantly). You may open up to 25 input endpoints on your role (up from 5 - see my recent blog post about this update), but there's manual work involved in the configuration. I don't know if your ftp application lets you limit your port range to such a small number of ports. Also:
You'd have to define each port as its own input endpoint (this is the manual labor part I mentioned) - input endpoints don't allow a port range to be specified, unlike the internal endpoints.
You'd have to specify the port number that's used internally, and the port numbers would need to be sequential
One last thing on ftp: you should be able to host an sftp server with no trouble, since all traffic comes through one port.
The hack that I'm contemplating right now is to retrieve http://www.icanhazip.com/. It isn't elegant and is subject to the availability of that service, but it gets the job done. A better solution would be appreciated!