View Issue Details

IDProjectCategoryView StatusLast Update
0004957unrealircdpublic2017-10-08 15:19
ReporterGottemAssigned Tosyzop 
PrioritynormalSeveritytweakReproducibilityN/A
Status resolvedResolutionfixed 
Platformx86_64OSDebianOS Version7 (wheezy)
Product Version4.0.10 
Target VersionFixed in Version4.0.16 
Summary0004957: Hide last hostname part from cloaked hosts
DescriptionSome people may also want to hide the last bit of the cloaked host, for whatever reasons. So in the case of my dev net, my host would not be "halp-8A208773.home.lan" but "halp-8A208773" instead.

Proposal:
* Add config directive to toggle the "full" cloak (default = no).
Steps To ReproduceN/A
Additional InformationPatch is attached. It's for v4.0.10 but I couldn't find any differences between that and the git repo. =]

Opted for a patch instead of a module because it's probably a much wanted feature, plus people would have to screw with .default.conf files to make sure the new mod doesn't interfere with cloak.c.
TagsNo tags attached.
3rd party modulesN/A

Activities

Gottem

2017-05-26 15:34

reporter  

fullcloak.patch (1,391 bytes)

syzop

2017-05-28 09:59

administrator   ~0019777

I see, so you want more privacy. I think in such cases IP-only cloaking would be better.. so that everyone gets an XXX.YYY.ZZZ.IP cloaked host. That at least gives you some sort of ranging.
Right now in order for all your users to get XXX.YYY.ZZZ.IP cloaking you have to use allow::options::useip.. which I doubt many people know. We could move that to a cloak option.

What do you think. Do you think XXX.YYY.ZZZ.IP still gives away "too much" information?
Do you think full cloaking would still be useful? If so, then I'd suggest to cloak it based on the IP and not on DNS. Why? Doing it on a resolved hostname serves no purpose.. it can only fail occasionally and then you would have to cloak on ip and get a completely different host. In other words: it has no benefit to use DNS if you don't display any of it, only downsides AFAICT.

What do you think?

Gottem

2017-05-29 18:04

reporter   ~0019779

Well I actually looked into this in the first place because PeGaSuS wanted a "full" cloak. I don't like the XXX.YYY.ZZZ.IP format myself, I roll with halp-8A208773.home.lan. =]

I must admit I never dove into the allow {} block much, I wouldn't have thought the option would be in there. :D

I think PeGaSuS actually wants the XXX.YYY.ZZZ.IP mask though. In my opinion the "useip" directive should be network-wide (so somewhere in the set {} block?). I doubt there will ever be a case where you want to use the IP cloak for a certain set of clients only.

The_Myth

2017-08-10 19:34

reporter   ~0019820

Quoting Syzop "Right now in order for all your users to get XXX.YYY.ZZZ.IP cloaking you have to use allow::options::useip.. which I doubt many people know. We could move that to a cloak option."

Here's the global idea. What i was thinking about was about UnrealIRCd still doing DNS resolving, but on cloak apply like if it wasn't doing it.

So, if someone connects from bl9-103-48.dsl.telepac.pt (resolved hostname) we can apply bans by country, like /gline *@*.pt.
After the hostname being resolved the next step would be convert it into a single IP like 85.242.103.48, wich will return the cloak type i like to have: XXX.YYY.ZZZ.IP.

I hope i'm clear enough.

Can this be achieved by any chance?

The_Myth

2017-08-10 19:38

reporter   ~0019821

Sorry, i forgot one question on my previous note.
With allow::options::useip enabled will UnrealIRCd do the dns resolving anyway?

The_Myth

2017-08-14 21:58

reporter   ~0019822

I've tried the option of allow::options::useip, and as expected it affects DNS resolving.
DNS resolving is important to ban by hostname, but the cloaked host will be always something like Clk-9025166E.rev.sfr.fr and the allow::options::useip can not be used.
I, personally, don't like those kind of hostmask. I prefer the XXX.YYY.ZZZ.IP method.
I think this could be a good enhancement to have IRCd using DNS resolving upon connection, and after successful connection be able to set the cloaked mask as the method i prefer.
Hoping to hear good news about this.
Best regards.

Amiga600

2017-09-27 23:27

reporter   ~0019887

I think there could be several methods regarding cloaking.

For example:
IP Cloaks: "IP4"=1.2.3.4 "IP3"=1.2.3.X "IP2"=1.2.X.X

Eg. ip.1.2.3.4.cable.isp.net
Host: "Host1"=cloak-<cloak>.cable.isp.net "Host2"=cloak-<cloak>.isp.net

syzop

2017-10-08 15:19

administrator   ~0019902

commit 1b6d49a9dc486772c534c3173b791e57a408db27
Author: Bram Matthys <syzop@vulnscan.org>
Date: Sun Oct 8 15:14:57 2017 +0200

    Add set { cloak-method ip; }; which will make cloaking only be done
    on the IP and thus result in an XX.YY.ZZ.IP cloaked host.
    This so you can have "IP cloaking" without disabling DNS lookups.
    GLINES on hosts still work and IRCOps (and yourself) can still see
    the host in /WHOIS.
    Requested in 4957 by Gottem and The_Myth.

https://github.com/unrealircd/unrealircd/commit/1b6d49a9dc486772c534c3173b791e57a408db27

I hope that will suffice for now :)

Issue History

Date Modified Username Field Change
2017-05-26 15:34 Gottem New Issue
2017-05-26 15:34 Gottem File Added: fullcloak.patch
2017-05-28 09:59 syzop Note Added: 0019777
2017-05-28 09:59 syzop Assigned To => syzop
2017-05-28 09:59 syzop Status new => feedback
2017-05-29 18:04 Gottem Note Added: 0019779
2017-08-10 19:34 The_Myth Note Added: 0019820
2017-08-10 19:38 The_Myth Note Added: 0019821
2017-08-14 21:58 The_Myth Note Added: 0019822
2017-09-27 23:27 Amiga600 Note Added: 0019887
2017-10-08 15:19 syzop Status feedback => resolved
2017-10-08 15:19 syzop Resolution open => fixed
2017-10-08 15:19 syzop Fixed in Version => 4.0.16
2017-10-08 15:19 syzop Note Added: 0019902