diff mbox series

display rDNS and GeoIP information for used nameservers

Message ID	20171106190919.2f0f434f.peter.mueller@link38.eu
State	Superseded
Headers	Date: Mon, 6 Nov 2017 19:09:19 +0100 From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu> To: "development@lists.ipfire.org" <development@lists.ipfire.org> Subject: [PATCH] display rDNS and GeoIP information for used nameservers Message-ID: <20171106190919.2f0f434f.peter.mueller@link38.eu> Organization: Link38 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Precedence: list Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	display rDNS and GeoIP information for used nameservers \| display rDNS and GeoIP information for used nameservers

Commit Message

Peter Müller Nov. 7, 2017, 5:09 a.m. UTC

  Display rDNS/PTR record and GeoIP information for used nameservers
on the netexternal.cgi WebUI page. These information might be useful
for debugging.

Thanks to Matthias Fischer for style improvements.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
 html/cgi-bin/netexternal.cgi | 25 +++++++++++++++++++++++++
 langs/de/cgi-bin/de.pl       |  1 +
 langs/en/cgi-bin/en.pl       |  1 +
 3 files changed, 27 insertions(+)

Comments

Michael Tremer Nov. 7, 2017, 10:37 p.m. UTC | #1

Hi,

this quite a nice idea, but I have one small problem here which I think could
potentially confuse the users more than it helps.

And that is anycast DNS servers.

So for example for the famous Google DNS 8.8.8.8 the GeoIP location would be US
which technically is correct, but I know for a fact that I am using an instance
that is located in the Telehouse which just a few miles away from me and not on
the other side of the big pond.

So can we do anything to make this better and should we?

-Michael

On Mon, 2017-11-06 at 19:09 +0100, Peter Müller wrote:
> Display rDNS/PTR record and GeoIP information for used nameservers
> on the netexternal.cgi WebUI page. These information might be useful
> for debugging.
> 
> Thanks to Matthias Fischer for style improvements.
> 
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
>  html/cgi-bin/netexternal.cgi | 25 +++++++++++++++++++++++++
>  langs/de/cgi-bin/de.pl       |  1 +
>  langs/en/cgi-bin/en.pl       |  1 +
>  3 files changed, 27 insertions(+)
> 
> diff --git a/html/cgi-bin/netexternal.cgi b/html/cgi-bin/netexternal.cgi
> index 299612d4c..cd2223ac6 100644
> --- a/html/cgi-bin/netexternal.cgi
> +++ b/html/cgi-bin/netexternal.cgi
> @@ -25,9 +25,13 @@ use strict;
>  #use warnings;
>  #use CGI::Carp 'fatalsToBrowser';
>  
> +use IO::Socket;
> +use Geo::IP::PurePerl;
> +
>  require '/var/ipfire/general-functions.pl';
>  require "${General::swroot}/lang.pl";
>  require "${General::swroot}/header.pl";
> +require "${General::swroot}/geoip-functions.pl";
>  require "${General::swroot}/graphs.pl";
>  
>  my %color = ();
> @@ -99,6 +103,12 @@ if ( $querry[0] ne~ ""){
>  						<strong>$Lang::tr{'nameserver
> '}</strong>
>  					</th>
>  					<th align="center">
> +						<strong>$Lang::tr{'flag'}</st
> rong>
> +					</th>
> +					<th align="center">
> +						<strong>$Lang::tr{'rdns'}</st
> rong>
> +					</th>
> +					<th align="center">
>  						<strong>$Lang::tr{'status'}</
> strong>
>  					</th>
>  				</tr>
> @@ -138,10 +148,25 @@ END
>  		}
>  
>  		my $table_colour = ($id++ % 2) ? $color{'color22'} :
> $color{'color20'};
> +		
> +		my $iaddr = inet_aton($nameserver);
> +		my $rdns = gethostbyaddr($iaddr, AF_INET);
> +		if (!$rdns) { $rdns = $Lang::tr{'lookup failed'}; }
> +
> +		my $gi = Geo::IP::PurePerl->new();
> +		my $ccode = $gi->country_code_by_name($nameserver);
> +		my $fcode = lc($ccode);
> +		my $flag_icon = &GeoIP::get_flag_icon($fcode);
>  
>  		print <<END;
>  			<tr bgcolor="$table_colour">
>  				<td>$nameserver</td>
> +				<td align="center">
> +					<a href="country.cgi#$fcode"><img
> src="$flag_icon" border="0" align="absmiddle" alt="$ccode" title="$ccode"></a>
> +				</td>
> +				<td align="center">
> +					$rdns
> +				</td>
>  				<td bgcolor="$bgcolour" align="center">
>  					<font
> color="$colour"><strong>$message</strong></font>
>  				</td>
> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> index af96a6445..4cf866a3a 100644
> --- a/langs/de/cgi-bin/de.pl
> +++ b/langs/de/cgi-bin/de.pl
> @@ -1951,6 +1951,7 @@
>  'quick playlist' => 'Quick Playlist',
>  'ram' => 'RAM-Speicher',
>  'random number generator daemon' => 'Random Number Generator Daemon',
> +'rdns' => 'rDNS',
>  'read bytes' => 'Gelesene Bytes',
>  'read list' => 'Liste der Leseberechtigten',
>  'real address' => 'Reale Addresse',
> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> index 7e4f95ccf..946aba873 100644
> --- a/langs/en/cgi-bin/en.pl
> +++ b/langs/en/cgi-bin/en.pl
> @@ -1989,6 +1989,7 @@
>  'quick playlist' => 'Quick Playlist',
>  'ram' => 'RAM',
>  'random number generator daemon' => 'Random Number Generator Daemon',
> +'rdns' => 'rDNS',
>  'read bytes' => 'Read Bytes',
>  'read list' => 'list with readonly hosts',
>  'real address' => 'Real Address',

Peter Müller Nov. 8, 2017, 6:25 a.m. UTC | #2

Hello Michael,

> Hi,
> 
> this quite a nice idea, but I have one small problem here which I think could
> potentially confuse the users more than it helps.
> 
> And that is anycast DNS servers.
Oh, yes. *sigh*
> 
> So for example for the famous Google DNS 8.8.8.8 the GeoIP location would be US
> which technically is correct, but I know for a fact that I am using an instance
> that is located in the Telehouse which just a few miles away from me and not on
> the other side of the big pond.
> 
> So can we do anything to make this better and should we?
The answer is simple and gives absolutely no satisfaction: No, we can't.

The (free) GeoIP database IPFire uses is somewhat ugly when it comes to anycast
networks, or even the networks of big DSL companies (see below): By looking at
the output of "geoiplookup [anycast IP]", there is no chance to see that something
is wrong.

Further, there are two problems with these networks:
(a) Only the company operating an anycast system knows where a certain IP is
actually located - as far as I am concerned, there is no (reliable) way to guess
this from outside. Some companies set informative PTR records such as "muc-x.y.z.anycast.company.com"
[muc = Munich], but even that does not mean anything in technical terms.

(b) There is a huge difference between the accuracy of multinational company's
networks in the free and non-free edition of the GeoIP database. For example, AOL
also owns subnets for their customers in Brazil and other countries outside US,
but the free database returns "US" for any AOL network queried.
Same goes for special categories such as "A1" (anonymous proxies): Even big Tor
nodes with static IPs or some huge VPN providers are mostly not listed there. :-|


To sum it up: I am aware of these - let's say - inaccuracies. However, I think we
need to stay consistent here: If we use GeoIP for firewall rules, which I consider
a great feature, we should work with the same information that iptables processes
if a user queries an IP address.

This is especially true for the connection tracking table (will send a working patch
for this later on), but otherwise, debugging of GeoIP firewall rules becomes very
hard.

Just as a remark: It is interesting that the Cloudflare networks are not listed in
the GeoIP database anymore (perhaps because they are anycast, too). But according
to bug #11482, this is not a good idea.

Best regards,
Peter Müller
> 
> -Michael
> 
> On Mon, 2017-11-06 at 19:09 +0100, Peter Müller wrote:
> > Display rDNS/PTR record and GeoIP information for used nameservers
> > on the netexternal.cgi WebUI page. These information might be useful
> > for debugging.
> > 
> > Thanks to Matthias Fischer for style improvements.
> > 
> > Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> > ---
> >  html/cgi-bin/netexternal.cgi | 25 +++++++++++++++++++++++++
> >  langs/de/cgi-bin/de.pl       |  1 +
> >  langs/en/cgi-bin/en.pl       |  1 +
> >  3 files changed, 27 insertions(+)
> > 
> > diff --git a/html/cgi-bin/netexternal.cgi b/html/cgi-bin/netexternal.cgi
> > index 299612d4c..cd2223ac6 100644
> > --- a/html/cgi-bin/netexternal.cgi
> > +++ b/html/cgi-bin/netexternal.cgi
> > @@ -25,9 +25,13 @@ use strict;
> >  #use warnings;
> >  #use CGI::Carp 'fatalsToBrowser';
> >  
> > +use IO::Socket;
> > +use Geo::IP::PurePerl;
> > +
> >  require '/var/ipfire/general-functions.pl';
> >  require "${General::swroot}/lang.pl";
> >  require "${General::swroot}/header.pl";
> > +require "${General::swroot}/geoip-functions.pl";
> >  require "${General::swroot}/graphs.pl";
> >  
> >  my %color = ();
> > @@ -99,6 +103,12 @@ if ( $querry[0] ne~ ""){
> >  						<strong>$Lang::tr{'nameserver
> > '}</strong>
> >  					</th>
> >  					<th align="center">
> > +						<strong>$Lang::tr{'flag'}</st  
> > rong>  
> > +					</th>
> > +					<th align="center">
> > +						<strong>$Lang::tr{'rdns'}</st  
> > rong>  
> > +					</th>
> > +					<th align="center">
> >  						<strong>$Lang::tr{'status'}</  
> > strong>  
> >  					</th>
> >  				</tr>
> > @@ -138,10 +148,25 @@ END
> >  		}
> >  
> >  		my $table_colour = ($id++ % 2) ? $color{'color22'} :
> > $color{'color20'};
> > +		
> > +		my $iaddr = inet_aton($nameserver);
> > +		my $rdns = gethostbyaddr($iaddr, AF_INET);
> > +		if (!$rdns) { $rdns = $Lang::tr{'lookup failed'}; }
> > +
> > +		my $gi = Geo::IP::PurePerl->new();
> > +		my $ccode = $gi->country_code_by_name($nameserver);
> > +		my $fcode = lc($ccode);
> > +		my $flag_icon = &GeoIP::get_flag_icon($fcode);
> >  
> >  		print <<END;
> >  			<tr bgcolor="$table_colour">
> >  				<td>$nameserver</td>
> > +				<td align="center">
> > +					<a href="country.cgi#$fcode"><img
> > src="$flag_icon" border="0" align="absmiddle" alt="$ccode" title="$ccode"></a>
> > +				</td>
> > +				<td align="center">
> > +					$rdns
> > +				</td>
> >  				<td bgcolor="$bgcolour" align="center">
> >  					<font  
> > color="$colour"><strong>$message</strong></font>  
> >  				</td>
> > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> > index af96a6445..4cf866a3a 100644
> > --- a/langs/de/cgi-bin/de.pl
> > +++ b/langs/de/cgi-bin/de.pl
> > @@ -1951,6 +1951,7 @@
> >  'quick playlist' => 'Quick Playlist',
> >  'ram' => 'RAM-Speicher',
> >  'random number generator daemon' => 'Random Number Generator Daemon',
> > +'rdns' => 'rDNS',
> >  'read bytes' => 'Gelesene Bytes',
> >  'read list' => 'Liste der Leseberechtigten',
> >  'real address' => 'Reale Addresse',
> > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> > index 7e4f95ccf..946aba873 100644
> > --- a/langs/en/cgi-bin/en.pl
> > +++ b/langs/en/cgi-bin/en.pl
> > @@ -1989,6 +1989,7 @@
> >  'quick playlist' => 'Quick Playlist',
> >  'ram' => 'RAM',
> >  'random number generator daemon' => 'Random Number Generator Daemon',
> > +'rdns' => 'rDNS',
> >  'read bytes' => 'Read Bytes',
> >  'read list' => 'list with readonly hosts',
> >  'real address' => 'Real Address',

Michael Tremer Nov. 8, 2017, 10:03 a.m. UTC | #3

Hi,

On Tue, 2017-11-07 at 20:25 +0100, Peter Müller wrote:
> Hello Michael,
> 
> > Hi,
> > 
> > this quite a nice idea, but I have one small problem here which I think could
> > potentially confuse the users more than it helps.
> > 
> > And that is anycast DNS servers.
> 
> Oh, yes. *sigh*
> > 
> > So for example for the famous Google DNS 8.8.8.8 the GeoIP location would be US
> > which technically is correct, but I know for a fact that I am using an instance
> > that is located in the Telehouse which just a few miles away from me and not on
> > the other side of the big pond.
> > 
> > So can we do anything to make this better and should we?
> 
> The answer is simple and gives absolutely no satisfaction: No, we can't.
> 
> The (free) GeoIP database IPFire uses is somewhat ugly when it comes to anycast
> networks, or even the networks of big DSL companies (see below): By looking at
> the output of "geoiplookup [anycast IP]", there is no chance to see that something
> is wrong.
> 
> Further, there are two problems with these networks:
> (a) Only the company operating an anycast system knows where a certain IP is
> actually located - as far as I am concerned, there is no (reliable) way to guess
> this from outside. Some companies set informative PTR records such as "muc-x.y.z.anycast.company.com"
> [muc = Munich], but even that does not mean anything in technical terms.

Not even they know where you are being routed to in some cases.

> (b) There is a huge difference between the accuracy of multinational company's
> networks in the free and non-free edition of the GeoIP database. For example, AOL
> also owns subnets for their customers in Brazil and other countries outside US,
> but the free database returns "US" for any AOL network queried.
> Same goes for special categories such as "A1" (anonymous proxies): Even big Tor
> nodes with static IPs or some huge VPN providers are mostly not listed there. :-|

Well, the accuracy isn't really there. There is no guarantee the
information is correct or precise and basically this is completely
messy.

There are other things like LOC records in DNS, but unfortunately
nobody seems to be using that.

There is an option c) Sometimes it says it in the whois, but that again
is not at all a reliable source of information.

> To sum it up: I am aware of these - let's say - inaccuracies. However, I think we
> need to stay consistent here: If we use GeoIP for firewall rules, which I consider
> a great feature, we should work with the same information that iptables processes
> if a user queries an IP address.
> 
> This is especially true for the connection tracking table (will send a working patch
> for this later on), but otherwise, debugging of GeoIP firewall rules becomes very
> hard.

Very true.

> Just as a remark: It is interesting that the Cloudflare networks are not listed in
> the GeoIP database anymore (perhaps because they are anycast, too). But according
> to bug #11482, this is not a good idea.

I have heard bad things from them that they are not a very nice player.
It is rumored that they are a pain in the rear end...

-Michael

> Best regards,
> Peter Müller
> > 
> > -Michael
> > 
> > On Mon, 2017-11-06 at 19:09 +0100, Peter Müller wrote:
> > > Display rDNS/PTR record and GeoIP information for used nameservers
> > > on the netexternal.cgi WebUI page. These information might be useful
> > > for debugging.
> > > 
> > > Thanks to Matthias Fischer for style improvements.
> > > 
> > > Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> > > ---
> > >  html/cgi-bin/netexternal.cgi | 25 +++++++++++++++++++++++++
> > >  langs/de/cgi-bin/de.pl       |  1 +
> > >  langs/en/cgi-bin/en.pl       |  1 +
> > >  3 files changed, 27 insertions(+)
> > > 
> > > diff --git a/html/cgi-bin/netexternal.cgi b/html/cgi-bin/netexternal.cgi
> > > index 299612d4c..cd2223ac6 100644
> > > --- a/html/cgi-bin/netexternal.cgi
> > > +++ b/html/cgi-bin/netexternal.cgi
> > > @@ -25,9 +25,13 @@ use strict;
> > >  #use warnings;
> > >  #use CGI::Carp 'fatalsToBrowser';
> > >  
> > > +use IO::Socket;
> > > +use Geo::IP::PurePerl;
> > > +
> > >  require '/var/ipfire/general-functions.pl';
> > >  require "${General::swroot}/lang.pl";
> > >  require "${General::swroot}/header.pl";
> > > +require "${General::swroot}/geoip-functions.pl";
> > >  require "${General::swroot}/graphs.pl";
> > >  
> > >  my %color = ();
> > > @@ -99,6 +103,12 @@ if ( $querry[0] ne~ ""){
> > >  						<strong>$Lang::tr{'nameserver
> > > '}</strong>
> > >  					</th>
> > >  					<th align="center">
> > > +						<strong>$Lang::tr{'flag'}</st  
> > > rong>  
> > > +					</th>
> > > +					<th align="center">
> > > +						<strong>$Lang::tr{'rdns'}</st  
> > > rong>  
> > > +					</th>
> > > +					<th align="center">
> > >  						<strong>$Lang::tr{'status'}</  
> > > strong>  
> > >  					</th>
> > >  				</tr>
> > > @@ -138,10 +148,25 @@ END
> > >  		}
> > >  
> > >  		my $table_colour = ($id++ % 2) ? $color{'color22'} :
> > > $color{'color20'};
> > > +		
> > > +		my $iaddr = inet_aton($nameserver);
> > > +		my $rdns = gethostbyaddr($iaddr, AF_INET);
> > > +		if (!$rdns) { $rdns = $Lang::tr{'lookup failed'}; }
> > > +
> > > +		my $gi = Geo::IP::PurePerl->new();
> > > +		my $ccode = $gi->country_code_by_name($nameserver);
> > > +		my $fcode = lc($ccode);
> > > +		my $flag_icon = &GeoIP::get_flag_icon($fcode);
> > >  
> > >  		print <<END;
> > >  			<tr bgcolor="$table_colour">
> > >  				<td>$nameserver</td>
> > > +				<td align="center">
> > > +					<a href="country.cgi#$fcode"><img
> > > src="$flag_icon" border="0" align="absmiddle" alt="$ccode"
> > > title=rumoured"$ccode"></a>
> > > +				</td>
> > > +				<td align="center">rumoured
> > > +					$rdns
> > > +				</td>
> > >  				<td bgcolor="$bgcolour" align="center">
> > >  					<font  
> > > color="$colour"><strong>$message</strong></font>  
> > >  				</td>
> > > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> > > index af96a6445..4cf866a3a 100644
> > > --- a/langs/de/cgi-bin/de.pl
> > > +++ b/langs/de/cgi-bin/de.pl
> > > @@ -1951,6 +1951,7 @@
> > >  'quick playlist' => 'Quick Playlist',
> > >  'ram' => 'RAM-Speicher',
> > >  'random number generator daemon' => 'Random Number Generator Daemon',
> > > +'rdns' => 'rDNS',
> > >  'read bytes' => 'Gelesene Bytes',
> > >  'read list' => 'Liste der Leseberechtigten',
> > >  'real address' => 'Reale Addresse',
> > > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> > > index 7e4f95ccf..946aba873 100644
> > > --- a/langs/en/cgi-bin/en.pl
> > > +++ b/langs/en/cgi-bin/en.pl
> > > @@ -1989,6 +1989,7 @@
> > >  'quick playlist' => 'Quick Playlist',
> > >  'ram' => 'RAM',
> > >  'random number generator daemon' => 'Random Number Generator Daemon',
> > > +'rdns' => 'rDNS',
> > >  'read bytes' => 'Read Bytes',
> > >  'read list' => 'list with readonly hosts',
> > >  'real address' => 'Real Address',  
> 
>

Peter Müller Nov. 9, 2017, 8:58 a.m. UTC | #4

Hello Michael,

> Hi,
> 
> On Tue, 2017-11-07 at 20:25 +0100, Peter Müller wrote:
> > Hello Michael,
> >   
> > > Hi,
> > > 
> > > this quite a nice idea, but I have one small problem here which I think could
> > > potentially confuse the users more than it helps.
> > > 
> > > And that is anycast DNS servers.  
> > 
> > Oh, yes. *sigh*  
> > > 
> > > So for example for the famous Google DNS 8.8.8.8 the GeoIP location would be US
> > > which technically is correct, but I know for a fact that I am using an instance
> > > that is located in the Telehouse which just a few miles away from me and not on
> > > the other side of the big pond.
> > > 
> > > So can we do anything to make this better and should we?  
> > 
> > The answer is simple and gives absolutely no satisfaction: No, we can't.
> > 
> > The (free) GeoIP database IPFire uses is somewhat ugly when it comes to anycast
> > networks, or even the networks of big DSL companies (see below): By looking at
> > the output of "geoiplookup [anycast IP]", there is no chance to see that something
> > is wrong.
> > 
> > Further, there are two problems with these networks:
> > (a) Only the company operating an anycast system knows where a certain IP is
> > actually located - as far as I am concerned, there is no (reliable) way to guess
> > this from outside. Some companies set informative PTR records such as "muc-x.y.z.anycast.company.com"
> > [muc = Munich], but even that does not mean anything in technical terms.  
> 
> Not even they know where you are being routed to in some cases.
> 
> > (b) There is a huge difference between the accuracy of multinational company's
> > networks in the free and non-free edition of the GeoIP database. For example, AOL
> > also owns subnets for their customers in Brazil and other countries outside US,
> > but the free database returns "US" for any AOL network queried.
> > Same goes for special categories such as "A1" (anonymous proxies): Even big Tor
> > nodes with static IPs or some huge VPN providers are mostly not listed there. :-|  
> 
> Well, the accuracy isn't really there. There is no guarantee the
> information is correct or precise and basically this is completely
> messy.
True. Sometimes I am thinking about building my own country GeoIP database, maybe
as a holiday project initially...
> 
> There are other things like LOC records in DNS, but unfortunately
> nobody seems to be using that.
I understand this. As a server operator, I do not want people to know in
which city (or building) my devices are located.
> 
> There is an option c) Sometimes it says it in the whois, but that again
> is not at all a reliable source of information.
Location information on city base is never quite accurate, but at country level,
it should be possible for most cases.

Well, at the moment, we do not have anything better (see above). Apart from these
issues, was the patch okay?

Best regards,
Peter Müller
> 
> > To sum it up: I am aware of these - let's say - inaccuracies. However, I think we
> > need to stay consistent here: If we use GeoIP for firewall rules, which I consider
> > a great feature, we should work with the same information that iptables processes
> > if a user queries an IP address.
> > 
> > This is especially true for the connection tracking table (will send a working patch
> > for this later on), but otherwise, debugging of GeoIP firewall rules becomes very
> > hard.  
> 
> Very true.
> 
> > Just as a remark: It is interesting that the Cloudflare networks are not listed in
> > the GeoIP database anymore (perhaps because they are anycast, too). But according
> > to bug #11482, this is not a good idea.  
> 
> I have heard bad things from them that they are not a very nice player.
> It is rumored that they are a pain in the rear end...
> 
> -Michael
> 
> > Best regards,
> > Peter Müller  
> > > 
> > > -Michael
> > > 
> > > On Mon, 2017-11-06 at 19:09 +0100, Peter Müller wrote:  
> > > > Display rDNS/PTR record and GeoIP information for used nameservers
> > > > on the netexternal.cgi WebUI page. These information might be useful
> > > > for debugging.
> > > > 
> > > > Thanks to Matthias Fischer for style improvements.
> > > > 
> > > > Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> > > > ---
> > > >  html/cgi-bin/netexternal.cgi | 25 +++++++++++++++++++++++++
> > > >  langs/de/cgi-bin/de.pl       |  1 +
> > > >  langs/en/cgi-bin/en.pl       |  1 +
> > > >  3 files changed, 27 insertions(+)
> > > > 
> > > > diff --git a/html/cgi-bin/netexternal.cgi b/html/cgi-bin/netexternal.cgi
> > > > index 299612d4c..cd2223ac6 100644
> > > > --- a/html/cgi-bin/netexternal.cgi
> > > > +++ b/html/cgi-bin/netexternal.cgi
> > > > @@ -25,9 +25,13 @@ use strict;
> > > >  #use warnings;
> > > >  #use CGI::Carp 'fatalsToBrowser';
> > > >  
> > > > +use IO::Socket;
> > > > +use Geo::IP::PurePerl;
> > > > +
> > > >  require '/var/ipfire/general-functions.pl';
> > > >  require "${General::swroot}/lang.pl";
> > > >  require "${General::swroot}/header.pl";
> > > > +require "${General::swroot}/geoip-functions.pl";
> > > >  require "${General::swroot}/graphs.pl";
> > > >  
> > > >  my %color = ();
> > > > @@ -99,6 +103,12 @@ if ( $querry[0] ne~ ""){
> > > >  						<strong>$Lang::tr{'nameserver
> > > > '}</strong>
> > > >  					</th>
> > > >  					<th align="center">
> > > > +						<strong>$Lang::tr{'flag'}</st    
> > > > rong>    
> > > > +					</th>
> > > > +					<th align="center">
> > > > +						<strong>$Lang::tr{'rdns'}</st    
> > > > rong>    
> > > > +					</th>
> > > > +					<th align="center">
> > > >  						<strong>$Lang::tr{'status'}</    
> > > > strong>    
> > > >  					</th>
> > > >  				</tr>
> > > > @@ -138,10 +148,25 @@ END
> > > >  		}
> > > >  
> > > >  		my $table_colour = ($id++ % 2) ? $color{'color22'} :
> > > > $color{'color20'};
> > > > +		
> > > > +		my $iaddr = inet_aton($nameserver);
> > > > +		my $rdns = gethostbyaddr($iaddr, AF_INET);
> > > > +		if (!$rdns) { $rdns = $Lang::tr{'lookup failed'}; }
> > > > +
> > > > +		my $gi = Geo::IP::PurePerl->new();
> > > > +		my $ccode = $gi->country_code_by_name($nameserver);
> > > > +		my $fcode = lc($ccode);
> > > > +		my $flag_icon = &GeoIP::get_flag_icon($fcode);
> > > >  
> > > >  		print <<END;
> > > >  			<tr bgcolor="$table_colour">
> > > >  				<td>$nameserver</td>
> > > > +				<td align="center">
> > > > +					<a href="country.cgi#$fcode"><img
> > > > src="$flag_icon" border="0" align="absmiddle" alt="$ccode"  
> > > > title=rumoured"$ccode"></a>  
> > > > +				</td>
> > > > +				<td align="center">rumoured
> > > > +					$rdns
> > > > +				</td>
> > > >  				<td bgcolor="$bgcolour" align="center">
> > > >  					<font    
> > > > color="$colour"><strong>$message</strong></font>    
> > > >  				</td>
> > > > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> > > > index af96a6445..4cf866a3a 100644
> > > > --- a/langs/de/cgi-bin/de.pl
> > > > +++ b/langs/de/cgi-bin/de.pl
> > > > @@ -1951,6 +1951,7 @@
> > > >  'quick playlist' => 'Quick Playlist',
> > > >  'ram' => 'RAM-Speicher',
> > > >  'random number generator daemon' => 'Random Number Generator Daemon',
> > > > +'rdns' => 'rDNS',
> > > >  'read bytes' => 'Gelesene Bytes',
> > > >  'read list' => 'Liste der Leseberechtigten',
> > > >  'real address' => 'Reale Addresse',
> > > > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> > > > index 7e4f95ccf..946aba873 100644
> > > > --- a/langs/en/cgi-bin/en.pl
> > > > +++ b/langs/en/cgi-bin/en.pl
> > > > @@ -1989,6 +1989,7 @@
> > > >  'quick playlist' => 'Quick Playlist',
> > > >  'ram' => 'RAM',
> > > >  'random number generator daemon' => 'Random Number Generator Daemon',
> > > > +'rdns' => 'rDNS',
> > > >  'read bytes' => 'Read Bytes',
> > > >  'read list' => 'list with readonly hosts',
> > > >  'real address' => 'Real Address',    
> > 
> >

Michael Tremer Nov. 10, 2017, 9:41 a.m. UTC | #5

Hi,

On Wed, 2017-11-08 at 22:58 +0100, Peter Müller wrote:
> Hello Michael,
> 
> > Hi,
> > 
> > On Tue, 2017-11-07 at 20:25 +0100, Peter Müller wrote:
> > > Hello Michael,
> > >   
> > > > Hi,
> > > > 
> > > > this quite a nice idea, but I have one small problem here which I think could
> > > > potentially confuse the users more than it helps.
> > > > 
> > > > And that is anycast DNS servers.  
> > > 
> > > Oh, yes. *sigh*  
> > > > 
> > > > So for example for the famous Google DNS 8.8.8.8 the GeoIP location would be US
> > > > which technically is correct, but I know for a fact that I am using an instance
> > > > that is located in the Telehouse which just a few miles away from me and not on
> > > > the other side of the big pond.
> > > > 
> > > > So can we do anything to make this better and should we?  
> > > 
> > > The answer is simple and gives absolutely no satisfaction: No, we can't.
> > > 
> > > The (free) GeoIP database IPFire uses is somewhat ugly when it comes to anycast
> > > networks, or even the networks of big DSL companies (see below): By looking at
> > > the output of "geoiplookup [anycast IP]", there is no chance to see that something
> > > is wrong.
> > > 
> > > Further, there are two problems with these networks:
> > > (a) Only the company operating an anycast system knows where a certain IP is
> > > actually located - as far as I am concerned, there is no (reliable) way to guess
> > > this from outside. Some companies set informative PTR records such as "muc-x.y.z.anycast.company.com"
> > > [muc = Munich], but even that does not mean anything in technical terms.  
> > 
> > Not even they know where you are being routed to in some cases.
> > 
> > > (b) There is a huge difference between the accuracy of multinational company's
> > > networks in the free and non-free edition of the GeoIP database. For example, AOL
> > > also owns subnets for their customers in Brazil and other countries outside US,
> > > but the free database returns "US" for any AOL network queried.
> > > Same goes for special categories such as "A1" (anonymous proxies): Even big Tor
> > > nodes with static IPs or some huge VPN providers are mostly not listed there. :-|  
> > 
> > Well, the accuracy isn't really there. There is no guarantee the
> > information is correct or precise and basically this is completely
> > messy.
> 
> True. Sometimes I am thinking about building my own country GeoIP database, maybe
> as a holiday project initially...

I would love to have a second source that isn't Maxmind and probably it
is quite possible to just walk through whois and create something that
is roughly accurate, but still this is probably not worth investing
time into it.

> > 
> > There are other things like LOC records in DNS, but unfortunately
> > nobody seems to be using that.
> 
> I understand this. As a server operator, I do not want people to know in
> which city (or building) my devices are located.

Well, if you would just have a look at where we are hosting you will
find the address of the servers on their website. It is very easy to
find out in many cases.

> > 
> > There is an option c) Sometimes it says it in the whois, but that again
> > is not at all a reliable source of information.
> 
> Location information on city base is never quite accurate, but at country level,
> it should be possible for most cases.
> 
> Well, at the moment, we do not have anything better (see above). Apart from these
> issues, was the patch okay?

I think this is fine then. I did not expect a solution, but wanted to
have the discussion for the record.

Please use the new lookup function from the other patch and please add
something to the documentation that summarises what we discussed here.

Best,
-Michael

> 
> Best regards,
> Peter Müller
> > 
> > > To sum it up: I am aware of these - let's say - inaccuracies. However, I think we
> > > need to stay consistent here: If we use GeoIP for firewall rules, which I consider
> > > a great feature, we should work with the same information that iptables processes
> > > if a user queries an IP address.
> > > 
> > > This is especially true for the connection tracking table (will send a working patch
> > > for this later on), but otherwise, debugging of GeoIP firewall rules becomes very
> > > hard.  
> > 
> > Very true.
> > 
> > > Just as a remark: It is interesting that the Cloudflare networks are not listed in
> > > the GeoIP database anymore (perhaps because they are anycast, too). But according
> > > to bug #11482, this is not a good idea.  
> > 
> > I have heard bad things from them that they are not a very nice player.
> > It is rumored that they are a pain in the rear end...
> > 
> > -Michael
> > 
> > > Best regards,
> > > Peter Müller  
> > > > 
> > > > -Michael
> > > > 
> > > > On Mon, 2017-11-06 at 19:09 +0100, Peter Müller wrote:  
> > > > > Display rDNS/PTR record and GeoIP information for used nameservers
> > > > > on the netexternal.cgi WebUI page. These information might be useful
> > > > > for debugging.
> > > > > 
> > > > > Thanks to Matthias Fischer for style improvements.
> > > > > 
> > > > > Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> > > > > ---
> > > > >  html/cgi-bin/netexternal.cgi | 25 +++++++++++++++++++++++++
> > > > >  langs/de/cgi-bin/de.pl       |  1 +
> > > > >  langs/en/cgi-bin/en.pl       |  1 +
> > > > >  3 files changed, 27 insertions(+)
> > > > > 
> > > > > diff --git a/html/cgi-bin/netexternal.cgi b/html/cgi-bin/netexternal.cgi
> > > > > index 299612d4c..cd2223ac6 100644
> > > > > --- a/html/cgi-bin/netexternal.cgi
> > > > > +++ b/html/cgi-bin/netexternal.cgi
> > > > > @@ -25,9 +25,13 @@ use strict;
> > > > >  #use warnings;
> > > > >  #use CGI::Carp 'fatalsToBrowser';
> > > > >  
> > > > > +use IO::Socket;
> > > > > +use Geo::IP::PurePerl;
> > > > > +
> > > > >  require '/var/ipfire/general-functions.pl';
> > > > >  require "${General::swroot}/lang.pl";
> > > > >  require "${General::swroot}/header.pl";
> > > > > +require "${General::swroot}/geoip-functions.pl";
> > > > >  require "${General::swroot}/graphs.pl";
> > > > >  
> > > > >  my %color = ();
> > > > > @@ -99,6 +103,12 @@ if ( $querry[0] ne~ ""){
> > > > >  						<strong>$Lang::tr{'nameserver
> > > > > '}</strong>
> > > > >  					</th>
> > > > >  					<th align="center">
> > > > > +						<strong>$Lang::tr{'flag'}</st    
> > > > > rong>    
> > > > > +					</th>
> > > > > +					<th align="center">
> > > > > +						<strong>$Lang::tr{'rdns'}</st    
> > > > > rong>    
> > > > > +					</th>
> > > > > +					<th align="center">
> > > > >  						<strong>$Lang::tr{'status'}</    
> > > > > strong>    
> > > > >  					</th>
> > > > >  				</tr>
> > > > > @@ -138,10 +148,25 @@ END
> > > > >  		}
> > > > >  
> > > > >  		my $table_colour = ($id++ % 2) ? $color{'color22'} :
> > > > > $color{'color20'};
> > > > > +		
> > > > > +		my $iaddr = inet_aton($nameserver);
> > > > > +		my $rdns = gethostbyaddr($iaddr, AF_INET);
> > > > > +		if (!$rdns) { $rdns = $Lang::tr{'lookup failed'}; }
> > > > > +
> > > > > +		my $gi = Geo::IP::PurePerl->new();
> > > > > +		my $ccode = $gi->country_code_by_name($nameserver);
> > > > > +		my $fcode = lc($ccode);
> > > > > +		my $flag_icon = &GeoIP::get_flag_icon($fcode);
> > > > >  
> > > > >  		print <<END;
> > > > >  			<tr bgcolor="$table_colour">
> > > > >  				<td>$nameserver</td>
> > > > > +				<td align="center">
> > > > > +					<a href="country.cgi#$fcode"><img
> > > > > src="$flag_icon" border="0" align="absmiddle" alt="$ccode"  
> > > > > title=rumoured"$ccode"></a>  
> > > > > +				</td>
> > > > > +				<td align="center">rumoured
> > > > > +					$rdns
> > > > > +				</td>
> > > > >  				<td bgcolor="$bgcolour" align="center">
> > > > >  					<font    
> > > > > color="$colour"><strong>$message</strong></font>    
> > > > >  				</td>
> > > > > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> > > > > index af96a6445..4cf866a3a 100644
> > > > > --- a/langs/de/cgi-bin/de.pl
> > > > > +++ b/langs/de/cgi-bin/de.pl
> > > > > @@ -1951,6 +1951,7 @@
> > > > >  'quick playlist' => 'Quick Playlist',
> > > > >  'ram' => 'RAM-Speicher',
> > > > >  'random number generator daemon' => 'Random Number Generator Daemon',
> > > > > +'rdns' => 'rDNS',
> > > > >  'read bytes' => 'Gelesene Bytes',
> > > > >  'read list' => 'Liste der Leseberechtigten',
> > > > >  'real address' => 'Reale Addresse',
> > > > > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> > > > > index 7e4f95ccf..946aba873 100644
> > > > > --- a/langs/en/cgi-bin/en.pl
> > > > > +++ b/langs/en/cgi-bin/en.pl
> > > > > @@ -1989,6 +1989,7 @@
> > > > >  'quick playlist' => 'Quick Playlist',
> > > > >  'ram' => 'RAM',
> > > > >  'random number generator daemon' => 'Random Number Generator Daemon',
> > > > > +'rdns' => 'rDNS',
> > > > >  'read bytes' => 'Read Bytes',
> > > > >  'read list' => 'list with readonly hosts',
> > > > >  'real address' => 'Real Address',    
> > > 
> > >   
> 
>

diff mbox series

Patch

diff --git a/html/cgi-bin/netexternal.cgi b/html/cgi-bin/netexternal.cgi
index 299612d4c..cd2223ac6 100644
--- a/html/cgi-bin/netexternal.cgi
+++ b/html/cgi-bin/netexternal.cgi
@@ -25,9 +25,13 @@  use strict;
 #use warnings;
 #use CGI::Carp 'fatalsToBrowser';
 
+use IO::Socket;
+use Geo::IP::PurePerl;
+
 require '/var/ipfire/general-functions.pl';
 require "${General::swroot}/lang.pl";
 require "${General::swroot}/header.pl";
+require "${General::swroot}/geoip-functions.pl";
 require "${General::swroot}/graphs.pl";
 
 my %color = ();
@@ -99,6 +103,12 @@  if ( $querry[0] ne~ ""){
 						<strong>$Lang::tr{'nameserver'}</strong>
 					</th>
 					<th align="center">
+						<strong>$Lang::tr{'flag'}</strong>
+					</th>
+					<th align="center">
+						<strong>$Lang::tr{'rdns'}</strong>
+					</th>
+					<th align="center">
 						<strong>$Lang::tr{'status'}</strong>
 					</th>
 				</tr>
@@ -138,10 +148,25 @@  END
 		}
 
 		my $table_colour = ($id++ % 2) ? $color{'color22'} : $color{'color20'};
+		
+		my $iaddr = inet_aton($nameserver);
+		my $rdns = gethostbyaddr($iaddr, AF_INET);
+		if (!$rdns) { $rdns = $Lang::tr{'lookup failed'}; }
+
+		my $gi = Geo::IP::PurePerl->new();
+		my $ccode = $gi->country_code_by_name($nameserver);
+		my $fcode = lc($ccode);
+		my $flag_icon = &GeoIP::get_flag_icon($fcode);
 
 		print <<END;
 			<tr bgcolor="$table_colour">
 				<td>$nameserver</td>
+				<td align="center">
+					<a href="country.cgi#$fcode"><img src="$flag_icon" border="0" align="absmiddle" alt="$ccode" title="$ccode"></a>
+				</td>
+				<td align="center">
+					$rdns
+				</td>
 				<td bgcolor="$bgcolour" align="center">
 					<font color="$colour"><strong>$message</strong></font>
 				</td>
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index af96a6445..4cf866a3a 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1951,6 +1951,7 @@ 
 'quick playlist' => 'Quick Playlist',
 'ram' => 'RAM-Speicher',
 'random number generator daemon' => 'Random Number Generator Daemon',
+'rdns' => 'rDNS',
 'read bytes' => 'Gelesene Bytes',
 'read list' => 'Liste der Leseberechtigten',
 'real address' => 'Reale Addresse',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 7e4f95ccf..946aba873 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1989,6 +1989,7 @@ 
 'quick playlist' => 'Quick Playlist',
 'ram' => 'RAM',
 'random number generator daemon' => 'Random Number Generator Daemon',
+'rdns' => 'rDNS',
 'read bytes' => 'Read Bytes',
 'read list' => 'list with readonly hosts',
 'real address' => 'Real Address',