If I do ping malicioussite.com or nslookup malicioussite.com, is there any risk for me? Will the people behind the malicious site know I'm looking them up?
I'd like to make a program to use an IP address to find the domain and vice versa.
Asked
Active
Viewed 1,465 times
2 Answers
1
Doing nslookup will only contact your configured DNS server (and then that server might forward the query to other DNS servers, but not in your name), no packet will arrive from your computer to malicioussite.com.
pinging will send icmp packets to the server of malicioussite.com and if they track packets they will see your ip address. Though ping itself is a pretty safe program strictly speaking, if you're worried that by exposing your ip address to someone is bad intentions is a risk, than you could do so with a proxy, vpn, or via the Tor network.
as far as reverse lookups go, see the following answer here: https://serverfault.com/questions/74042/resolve-host-name-from-ip-address#74044
-
Thanks for the reply! For nsloookup, what about the DNS server? Is the DNS server traceable by the malicious site? Might be configured by my company so I'm unsure if I should do nslookups – qnxyy Aug 10 '16 at 10:14
-
You can see what is your DNS server by running `ipconfig /all` on windows, or `cat /etc/resolv.conf` on linux machines. It should not be traceable by the malicious site. – Tom Klino Aug 10 '16 at 10:47
-
@qnxyy: If `malicioussite.com` controls their authoritative DNS server, then they _would_ be able to tell which DNS server made the request to it. If this is a local one in your organisation then be able to trace it to your organisation. – SilverlightFox Aug 11 '16 at 11:04
1
Some authoritative DNS servers may reveal the first 24 bits of an IPv4 address if they are configured with Google's extension EDNS Client Subnet:
In addition, Google Public DNS engineers have proposed a technical solution called EDNS Client Subnet. This proposal allows resolvers to pass in part of the client's IP address (the first 24/64 bits or less for IPv4/IPv6 respectively) as the source IP in the DNS message, so that name servers can return optimized results based on the user's location rather than that of the resolver. To date, we have deployed an implementation of the proposal for many large CDNs (including Akamai) and Google properties. The majority of geo-sensitive domain names are already covered.
Therefore if you make a query to a DNS server
PC @ 203.0.113.224 --> DNS Resolver @ 198.51.100.50:53
--> Authoritative DNS @ 192.0.2.100:53
And if DNS Resolver supports the extension, the Authoritative DNS will see 203.0.113.X as your IP address.
If not, but DNS Resolver is at your company and malicioussite.com controls their Authoritative DNS server, then they will see that 198.51.100.50 has made a query for malicioussite.com, revealing your company to them.
Ping sends an ICMP packet from 203.0.113.224 to malicioussite.com, so the source IP would be viewable by them should they be logging or monitoring packets on this protocol. Ping of course uses DNS to lookup the IP address, so the points in my previous paragraph apply here as well.
Realistically speaking there is little risk to you as domains get queried all the time, and servers get pinged all the time. Privacy could be a concern if it is a domain name that only you (or a subset of people) would be privy to - e.g. the domain mrji8g45vcxa5.malicioussite.example.com can't really be accidentally looked up without you knowing that it exists somehow. If they know that only you know it, this could leak your whereabouts.
To ensure privacy of your program if it is indeed looking up such private domains, you could ensure it uses a public DNS server that does not support EDNS Client Subnet for its forward and reverse lookups. You could host such a server yourself if you are making this program for clients, and you are happy that target systems know that it is your program that is looking them up, but not necessarily which client.
SilverlightFox
- 33,408
- 6
- 67
- 178