|do they exist or don't they?|
What, if anything, does it mean when you look up an IP and get told that "hostname such-and-such does not exist"? I started out assuming there was something hinky about them, and probably put "Watch This Address" flags on some perfectly innocent people.
Then, last time I played with my logs, I found a visitor to one of my very, very specialized pages-- the ones where I have to satisfy my curiosity by looking them up.
[Could be forged: hostname squiggle-29-22.domain.dotdot does not exist]
In this case, domain.dotdot happens to be a respectable foreign government.* Clueless when it comes to Internet-related stuff, but otherwise respectable. And I've had several other visits from the aaa sector. They're in the appropriate geographical region. Absolutely, beyond question, legit.
So what does "does not exist" mean?
Punchline: The unknown visitor came from a search engine, where they were looking for information on... Well, let's say it was the equivalent of someone from Whitehall googling "precedence in the House of Lords". I can only hope it's one of those countries where a .gov address doesn't necessarily mean you work for the government.
* On another occasion, I had a long visit from someone whose IP turned out to belong to my state's income-tax department. I could never figure out whether the state was really, seriously scraping the barrel... or whether someone whose salary I pay was spending their time in an inappropriate manner.
It means there is no rDNS for the ip. In other words there is no domain name associated with a given ip - there is no ptr record. When you visit a site there is an IP associated with the site. The rDNS is the opposite.
It should not be used as a general criteria to restrict access to a site if that's what you're asking. But it could be used for other cases like when receiving emails or if you are certain there is rDNS (for instance popular search engines typically have one when they visit your site).
Also performing rDNS on its own doesn't do much. An IP could resolve - for example to localhost or any domain name just because it's mis-configured by error or on purpose. Therefore after you retrieve the PTR you would have to do additional testing to ensure the PTR resolves now to the original IP.
Also this kind of detection methods should not be used on the long run.
Well, I'm using one of those www pages that checks in both directions for you. The line "could be forged" definitely makes me think of e-mail rather than www site visitors-- and I don't think I have ever in my life received an e-mail whose content left me in doubt about whether it was spam or real mail. (I'm an individual human, not an ISP, so I don't have to deal with the messy issue of decoding forged headers and blocking senders at the source.)
So far I haven't found anything that works better than gut feeling: page A gets a fair number of visitors from Portugal, so I don't bother about them, but why the ### should people from Belarus suddenly take an interest in page B?
Most of the time, "does not exist" seems to refer only to the exact wording of the address. The domain part is the same. Or it isn't, at which point it is probably easier to deploy the "because I don't like your face" rule than to bother with any more investigation. The address that prompted the original question is, as I said, administered by people who are moderately clueless* so I wouldn't put it past them to assign a local address in a non-standard format.
* They're actively promoting a related site that has, to my certain knowledge, not been touched since 2004, which gives you some idea.
|people from Belarus suddenly take an interest in page B |
I don't think they do. Concentrate on the queries, at least in my case various visits sole purpose is to scrap content, hack the site and/or spam the forms in every way possible.
Some of the ips are returning funny DNS names which are forged of course and they may come from every country you can imagine typically via a hijacked system. In most cases it's fully automated.
Although the majority may seem to come from outside NA or Europe, it just tells me the user awareness on some countries is either lower than in US for example, or just the cost of security/original software is much higher and people can't afford it, they prefer the "risk it for free" way, which leads lots and lots of machines to structure various botnets for shady purposes.
You can also input some ips to several anti-spam services like SC and check the status of it. Sometimes I will enter a couple of them as their system may check for a compromised PC based on the open ports. When I see someone checking out or submitting a form and I am not quite sure of their intentions.
Other times just the ip blacklisted databases will do, or I will have the server doing a port scan on the standard HTTP ports given an IP. If they're open something isn't right.