On Wed, Mar 21, 2018 at 02:19:43PM -0700, Ronald F. Guilmette wrote: [...] > P.S. It is my assumption that the kind of thing I'm looking for, if > it exists at all, will be found somewhere below the application layer. > I do not rule out however that there may be some way of differentiating > the two cases described above by looking at application layer responses > for some certain common applications. As far as I know however, it is > not possible to make the desired differentiation on the basis of > application layer responses for most typical network applications, > e.g. various makes and model numbers of servers for HTTP, HTTPS, > SMTP, SSH, DNS, etc. Of course, if I have simply missed something, > and if there is in fact a way to differentiate the two cases on the > basis of responses sent for any of these application protocols, then > I sure would like to know about that too.
DNS: if both A and A' running open recursive DNS servers (bad idea in modern internet, but..) it's possible to use TTL field to differentiate. Scenario: create some DNS record with good enough TTL of one hour. Ask A about this record, get answer with TTL = 3600. Wait for ten seconds, then ask A' about the same record. If received TTL is about 3590 - it's really likely that A and A' is the same host. _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
