From owner-freebsd-net@freebsd.org Thu Mar 22 14:03:23 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A0C84F6A35D for ; Thu, 22 Mar 2018 14:03:23 +0000 (UTC) (envelope-from snar@snar.spb.ru) Received: from staff.retn.net (staff.retn.net [IPv6:2a02:2d8:0:20ff:232a::8]) by mx1.freebsd.org (Postfix) with ESMTP id 3BE7B76383 for ; Thu, 22 Mar 2018 14:03:23 +0000 (UTC) (envelope-from snar@snar.spb.ru) Received: from staff.retn.net (staff.retn.net [IPv6:2a02:2d8:0:20ff:232a::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: snarspb@) by staff.retn.net (Postfix) with ESMTPSA id 25010A82B; Thu, 22 Mar 2018 17:02:38 +0300 (MSK) Date: Thu, 22 Mar 2018 17:02:33 +0300 From: Alexandre Snarskii To: "Ronald F. Guilmette" Cc: FreeBSD Net Subject: Re: Same host or different? How can you tell "over the wire"? Message-ID: <20180322140233.GA79266@staff.retn.net> References: <4903.1521667183@segfault.tristatelogic.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4903.1521667183@segfault.tristatelogic.com> User-Agent: Mutt/1.6.1 (2016-04-27) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2018 14:03:23 -0000 On Wed, Mar 21, 2018 at 02:19:43PM -0700, Ronald F. Guilmette wrote: [...] > P.S. It is my assumption that the kind of thing I'm looking for, if > it exists at all, will be found somewhere below the application layer. > I do not rule out however that there may be some way of differentiating > the two cases described above by looking at application layer responses > for some certain common applications. As far as I know however, it is > not possible to make the desired differentiation on the basis of > application layer responses for most typical network applications, > e.g. various makes and model numbers of servers for HTTP, HTTPS, > SMTP, SSH, DNS, etc. Of course, if I have simply missed something, > and if there is in fact a way to differentiate the two cases on the > basis of responses sent for any of these application protocols, then > I sure would like to know about that too. DNS: if both A and A' running open recursive DNS servers (bad idea in modern internet, but..) it's possible to use TTL field to differentiate. Scenario: create some DNS record with good enough TTL of one hour. Ask A about this record, get answer with TTL = 3600. Wait for ten seconds, then ask A' about the same record. If received TTL is about 3590 - it's really likely that A and A' is the same host.