Hello,

I was wondering what is the :resolve mechanism for the reverse IPs.
For a direct hostname it is natural, for reverse IP I am asking: result is 8.8.8.8 this is normal DNS
result is dns.google but from where?

Not all IPs are (re)solved by Mikrotik "resolve" command, only those from DNS Static and Cache as far as I see.
It is a dig command behind? How can we improve the output? Can someone share a script to take the info from an external source?

Thanks,
Paul

before go further, is better you understand what is one reverse DNS PTR (.in-addr.arpa) and why some IP have reverse PTR and others not.

Yes, you are right, reverse lookup (reverse PTR) and whois are not the same, one is searching for DNS record publication and the other search for record information stored, based on ARIN for example and cross referenced to existing IP databases.
I presume Mikrotik resolve uses DNS reverse lookup and for sure not a third party whois service.
What I need is a quick way to "color" my blacklist address-lists and I was lazy for a miracle "resolve".

I need to get into more complex scripts with external api. Is there a miracle out there? Still lazy

Regards.

As @rextended said, look at the ".in-addr.arpa" PTR.

There are many possible answers, or even none. Many DNS names may point at the same ip address. This is certainly the case for hosted websites, with many unrelated websites on the same webserver(-farm). And anyone can think of mechanisms for using different DNS names to forward to many servers behind a reverse-proxy, or just different access to one and the same server or website.

For public IP addresses , try this one: https://www.yougetsignal.com/tools/web- ... eb-server/

254 websites on 8.8.8.8 just as exemple

This is what I am talking about. But this is reverse lookup and not whois resolve.

Some guy posted something, but I did not read (yet) in full. viewtopic.php?t=55738

Other sources?
json https://rdap.arin.net/registry/ip/8.0.0.0
put-an-address-by-hand style https://whois.arin.net/rest/net/NET-8-8 ... ?s=8.8.8.8
No token based, but wait until you cross the https://www.arin.net/resources/registry/whois/tou/

I and @bpwl never mentioned whois.

Read post #2

Just FYI. Reverse IP: There are many use cases for this.
As Windows PC, or SQL or Oracle DB access becomes very slow, when they cannot reverse resolve their IP addresse (they keep trying for some time), it is an easy solution to put in a generic in-addr.arpa PTR entry in the DNS server, for the whole subnet, e.g. something like "PC.company.net" .
Never seen a requirement that forward DNS and reverse PTR should/could be in sync or even related.

@bpwl I owe you a favor, thanks for the hint about oracle and sql...

Code: Select all

:global reverse do={ :global testrev "" ; :execute ":global testrev; :set testrev [:resolve $1]" ; :delay 2s; :return $testrev}

:put [$reverse 8.8.8.8]
:put [$reverse 10.4.5.8]

I do not understand this post. Thank you for the script. It is a nice script that helps me learning (lazy me).
But what is the difference between your script and put [:resolve 10.4.5.8] other than a delay of 2 seconds and not having error exception "failure: dns name does not exist" which was script breaking
BTW: reverses to nothing as I do not have this private IP in my network but 8.8.8.8 gives dns.google which is ok of course.

So, answer to the initial question is: Mikrotik :resolve uses the simple reverse DNS lookup mechanism and there is no other whois implementation in Mikrotik firmware.
I need to script whois from an external source.

Thank you.
Regards.

I do not understand this post.
[...]

No, you have understanded the post:

[...] difference between your script and put [:resolve 10.4.5.8] other than a delay of 2 seconds and not having error exception "failure: dns name does not exist" which was script breaking [...]

:put [$reverse 10.4.5.8]

[...] reverses to nothing as I do not have this private IP in my network [...]

is it choiced on purpose, near for sure the inverse DNS PTR not exist, and is a good example on how skip error

[...]
I need to script whois from an external source.
[...]

For obtain what exactly?

[...]
I need to script whois from an external source.
[...]
For obtain what exactly?

I said that in post #3
What I need is a quick way to "color" my blacklist address-lists and I was lazy for a miracle "resolve".

Meaning resolve the list to hostnames.

Right now I have some blacklists and I obtain the info -manually- from AbuseIPDB...
And I paste the info to comments. Yes I can copy paste only the hostname...
https://www.abuseipdb.com/check/45.79.82.183

So, the script: does exactly that except it is simple reverse DNS lookup and the "nice" servers hides or not have the PTRs.
Hence the whois need.
I would like to have something simple working like:
and hipotethically

:foreach a in=[/ip firewall address-list find list=blacklist] do={/ip firewall address-list set $a comment=[:whois [/ip firewall address-list get $a address]]}} on-error={}
whould do the trick

Regards

On the example from @bpwl you can see that a single IP 8.8.8.8 have inside dozen of sites, and only one reverse PTR to dns.google.

If the IP do not have PTR, there is not any warranty that have some DNS that point to that IP,
whois report only the domain name of the organization, not the hostname,
like https://www.abuseipdb.com/check/192.88.88.88

What does this mean? simply that if reverse ptr doesn't solve it, a simple whois can't give a dns name.

Now, it seems that I am also greedy not only lazy. You are right about whois, I was just giving an "example function", not even whoisrws does not give a hostname, maybe some domain at least. And let's not forget about a huge list of subs that can be proxied from an IP. Ex: https://www.abuseipdb.com/whois/45.79.82.183 (and I am not talking about VPN or TOR exits).

OK, I come back to the word "color" as in coloring the list, what I am trying to achieve is an automatic way to populate comments of a blacklist.
By looking/search at comments containing domain/hostname I can identify maybe something that does not deserve being there or needs doubling down on it.

Regards

Blacklisting or coloring IP addresses is not very precise.
Some issues with IP-address blacklists do exist.
If your corporate mailserver or corporate web-server is hosted , you will have quite some work to do if the IP address (or even subnet) ends up in one or other spam-lists or blacklists.
You are just blocked for your customers and suppliers, because of malicious activity by unknown others, from the same subnet. Whois will return the hosting company or ISP, at best.
One of the things to do is go explain to the CEO what happens. And he/she will NOT understand, why his/her friend-CEO's complain for you not being reachable, as a professional corporation.

Coloring via DNS is more selective. It's a long list, but subscription to such dynamic maintained lists is quite common in firewall's.
Country filtering in IPv4 is quite static. But again try traceroute or "yougetsignal-trace" for common IP addresses like 8.8.8.8.
You will find them nearby, from wherever you start looking.

Thanks for the suggestions, you are right in all aspects, blacklists are dangerous in many ways, this is why I need to keep looking at them from time to time, IPs are there, I populate them in comments manually (the critical ones).
For years I used pfSense with Snort and DaNSguardian and that kept me out of many problems but it was a 200W sucker, huge startup time, chance that after a power failure your setup get scrambled, etc. I tried virtualization but I had hiccups for anything more than 1GB. Even Fail2Ban... failed me.
I used that in parallel with Mikrotik CHR (another 200W sucker) and MT WIFI APs but lately I moved over MT routerboards only.

Dude server is back, containers are stable, I will test and repurpose the pi-hole container with more lists or load them directly via script. Maybe a Snort or Suricata docker container if someone has it.