RDNS of legitimate names can be a tracking hostname #15

Open
opened 2 years ago by geoffrey · 0 comments
geoffrey commented 2 years ago
Owner

Example: www.mitsubishicars.com

$ dig +short www.mitsubishicars.com
168.75.242.199
$ dig +short -x 168.75.242.199
report.mitsubishicars.com.
$ dig +short report.mitsubishicars.com
mitsubishicars.com.d1.sc.omtrdc.net.
52.49.100.189
108.128.130.224
52.31.190.58

Which results in the rule:

www.mitsubishicars.com 4F_2 ← 168.75.242.199/32 3FD19 ← report.mitsubishicars.com 2F_1 ← *.omtrdc.net 1F_7904 ← (first-party rule) 0F_28

Maybe we can find a way to not include those false-positives.

We can skip RDNS data altogether, which only removes <<4090 hostnames (<<745 in -only). I say << because of #14 and the fact it has not rerun yet. If the real numbers are significantly low, this might be not worth it.

Example: `www.mitsubishicars.com` ```shell $ dig +short www.mitsubishicars.com 168.75.242.199 $ dig +short -x 168.75.242.199 report.mitsubishicars.com. $ dig +short report.mitsubishicars.com mitsubishicars.com.d1.sc.omtrdc.net. 52.49.100.189 108.128.130.224 52.31.190.58 ``` Which results in the rule: ``` www.mitsubishicars.com 4F_2 ← 168.75.242.199/32 3FD19 ← report.mitsubishicars.com 2F_1 ← *.omtrdc.net 1F_7904 ← (first-party rule) 0F_28 ``` Maybe we can find a way to not include those false-positives. We can skip RDNS data altogether, which only removes <<4090 hostnames (<<745 in -only). I say << because of #14 and the fact it has not rerun yet. If the real numbers are significantly low, this might be not worth it.
geoffrey added the
false-negative
false-positive
labels 2 years ago
geoffrey referenced this issue from a commit 2 years ago
geoffrey added a new dependency 2 years ago
geoffrey added a new dependency 2 years ago
Sign in to join this conversation.
No Milestone
No Assignees
1 Participants
Notifications
Due Date

No due date set.

Blocks Depends on
#14 Priority can be wrong
geoffrey/eulaurarien
Loading…
There is no content yet.