Giters

certtools / intelmq

IntelMQ is a solution for IT security teams for collecting and processing security feeds using a message queuing protocol.

Home Page:https://docs.intelmq.org/latest/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

gethostbyname: Only returns one IPv4 address per domain, no IPv6

sebix opened this issue · comments

commented

The gethostbyname expert resolves a domain name (*.fqdn) to the IP address (*.ip), but

  • only one IP address, not all of the A-records
  • only for IPv4, not for IPv6
    because socket.gethostbyname works this way

This has only limited benefits.
When the input event contains a URL/FQDN and you want to compare that to firewall entries, you always need all IP address this IP resolves to, not just anyone.
When you want to block hosts based on their IP addresses, you also need to block all of them.
Only if you want to get any contact data for the host, one IP address suffices.

Alternative Python calls are

  • socket.gethostbyname_ex, which returns a list of addresses per host, but only IPv4
  • socket.getaddrinfo also returns IPv6 addresses, but requests a destination port and is therefore unsuitable for our purpose.
    So what's left is using dnspython