From owner-freebsd-net@freebsd.org  Thu Mar 22 17:37:42 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7D14CF5A211
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Thu, 22 Mar 2018 17:37:42 +0000 (UTC)
 (envelope-from rfg@tristatelogic.com)
Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com
 [69.62.255.118])
 by mx1.freebsd.org (Postfix) with ESMTP id 0FF5F812FD
 for <freebsd-net@freebsd.org>; Thu, 22 Mar 2018 17:37:41 +0000 (UTC)
 (envelope-from rfg@tristatelogic.com)
Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1])
 by segfault.tristatelogic.com (Postfix) with ESMTP id 2D5D73AE87
 for <freebsd-net@freebsd.org>; Thu, 22 Mar 2018 10:37:41 -0700 (PDT)
From: "Ronald F. Guilmette" <rfg@tristatelogic.com>
To: FreeBSD Net <freebsd-net@freebsd.org>
Subject: Re: Same host or different? How can you tell "over the wire"?
In-Reply-To: <20180322140233.GA79266@staff.retn.net>
Date: Thu, 22 Mar 2018 10:37:41 -0700
Message-ID: <9803.1521740261@segfault.tristatelogic.com>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Mar 2018 17:37:42 -0000


In message <20180322140233.GA79266@staff.retn.net>, 
Alexandre Snarskii <snar@snar.spb.ru> wrote:

>DNS: if both A and A' running open recursive DNS servers (bad idea in 
>modern internet, but..) it's possible to use TTL field to differentiate.
>Scenario: create some DNS record with good enough TTL of one hour. Ask A 
>about this record, get answer with TTL = 3600. Wait for ten seconds, then
>ask A' about the same record. If received TTL is about 3590 - it's really
>likely that A and A' is the same host.

Thank you!  Yes.  This, and checking the SSH key, seem to both be very
promising solutions to the problem.

I will be investigating and trying both, to try to establish how well
they might work in practice.

It will be great if both work, because some bad actors will be running
SSH (on a known or findable port) and others won't be.  And likewise,
some bad actors will be running their own name servrs and others won't
be.  So it will be Good to have several tools in the toolbox.