How to locate whether the public IP address is an end user address

How to locate whether the public IP address is an end user address
1. Problem source Overview

In our daily penetration work, we usually need to resolve the public network address through the Domain Name Information provided by the customer,
There are many tools in this area (for exampleSystemBuilt-in nslookup command or Webmaster tool) I will not waste the chapter. However
Due to the widespread application of website acceleration technology (such as CDN acceleration), we obtain public addresses through conventional technical means.
It is usually the public address of the supplier that provides the acceleration service, rather than the final user address. How can we determine it? First, I
Let's take a look at the CDN acceleration principles.

2. Analysis of acceleration principles

This topic describes two aspects: 1. Website access principle under normal circumstances 2. Website access principle after acceleration

2.1 Analysis on the principle of normal Website access

 

1. the user accesses the website through a browser, such as www.gcexe.com.

2. System-to-DNSServerInitiate a query request (through DNSServerRecursive query, and finally request to the DNS server of the domain name supplier)
3. the DNS server returns the Internet address www.gcexe.com, for example, 221.224.24.214.
4. The system sends an HTTP page request to 221.224.24.214.
5. The website server returns the page to the user's system as needed
6. The website content is displayed in the user's browser. The process has been completed.

For normal processing, you need to set A (host) record on the DNS server so that the DNS server can resolve the domain name to an IP address: Take the hichina domain name resolution system as an example:
 
 

2.2 analysis on the principle of accelerated Website access
The following factors may lead to Website access delays, blockages, and card issuance.
The processing performance of the website server itself is low. For example, the CPU and memory configurations are too low to meet the response requirements.
The website access rate is too low. For example, the website server accesses the ISP network at a rate of 2 MB.
Users in the same ISP network access through too many exchanges, routes,SecurityDevices, such as accessing servers in Guangzhou in Beijing
Cross-carrier (ISP) access to the network. For example, if a user accesses the network while the server is in the China Netcom network, the backbone bottleneck of the telecom-Operator
Bottlenecks in international trunk communication links, such as domestic users' access to foreign websites

CDN (also known as website acceleration) is a technology born to solve these problems. It is actually a LAN-based website cache technology.
(For example, deploy a website cache server to save frequently accessed pages on this device to speed up access)
My personal analysis on the technical principles of extension and extension is as follows:
 

1. Enter the URL in the browser (for example, www.xxx.com)
2. the user system requests to the DNS server (through recursive queries between DNS servers, and finally to the DNS server of the domain name supplier)
3. the DNS server of the Domain Name Service Provider finds that only the CNAME record can be matched through the query record.
4. the DNS server of the Domain Name Service Provider records the content through the CNAME and forwards it to the DNS server of the CDN service provider.
5. determine the user source address (unconfirmed) through the interactive message between DNS servers in a specific system of the CDN service provider)
6. The CDN service provider notifies the DNS server (unconfirmed) of the address of the cache server closest to the user in a specific system)
7. the DNS server of the CDN service provider informs the DNS server of the IP address of the Domain Name Service Provider.
8. the DNS server of the Domain Name Service Provider informs the end user of the IP address of the domain name.
9. The user system sends an HTTP request to the WEB Cache Server Based on the IP address information in the DNS response message.
10. After the WEB cache server receives the request, it sends the specific page information to the end user.


3. Practice verification Theory
To verify your analysis, the instance is verified.
Target Website: www.gcexe.com
Public Network Address: 221.224.24.214
 

3.1 CDN acceleration test application

First, apply for a CDN test and obtain the test permission for four days.
 
 

3.2 change domain name resolution content

Delete existing records
 

Add CNAME record
 

3.3 theoretical analysis of data verification

Because Global DNS Server Information Synchronization takes some time, it is recommended that you perform the test 30 minutes later.
Then, how can I verify my analysis ????????????????

If the analysis is correct, since CDN acceleration has cache servers all over the country, if I ask a friend from all over the country to help resolve the problem
Can I draw a conclusion on the IP address of www.gcexe.com? (If the analysis is correct, the addresses reported by different regions are different)
 
 
 

Through the above verification, it is basically determined that the judgment result should be no more than 10, at least the deviation will not be too large
 
4. Problem Analysis and Solution

4.1 Problem Research and positioning

After learning about the CDN acceleration principle, we returned to the original question. How can we determine whether the public address resolved by the domain name is the user's final address or the CDN acceleration address ??

If you view the information in IE browser alone, we cannot obtain the information because the page feedback is identical (unless you analyze the HTTP interactive message, for CDN-accelerated websites, their interactive packets also have feature fields, which are not involved in this KB)

Think about what we did first during acceleration verification ???

Yes. First, we have adjusted our domain name resolution. can we interpret the DNS packet analysis?

Let's take a look at the differences between the results output by running the NSLOOKUP command in CMD mode before and after acceleration:

 

4.2 analysis conclusion output

By analyzing the content analysis of pre-and post-acceleration DNS packets, we can conclude that:
As long as the CDN acceleration implementation method is: 1. Do not change the end user's input URL (Domain Name) 2. The Domain Name Server must configure the CNAME field. You can use
In its DNS feedback report, whether the CNAME field exists to determine whether it is the accelerated address, and finally determine whether the public address is the final public address of the WEB server.

But is this result true if it is reversed ?? ------ The CNAME field in the DNS response message must be accelerated by CDN.

5. Experience Knowledge Summary

Conclusion 1:
Looking back at our experiment, when we configured CNAME Resolution on the Domain Name Server, we had resolved the domain name to the final IP address.
 
In this example, the resolution right is transferred to the DNS server where the Domain Name of the www-gcexe-com.powercdn.cn is located, and the domain name www.gcexe.com only exists as an alias
 

Conclusion 2:
This time, the problem is identified through DNS Analysis packets. In fact, the basic knowledge points in Chapter 1 DNS domain name system in the TCP/IP protocol are used:
 

 
 

Conclusion 3:
According to the implementation principle of CDN acceleration: I believe this technology should have the following features:
When the WEB server fails or does not respond, you can still access the website. (Because it accesses the WEB cache server .)
If the website administrator updates the page content, the final application cannot be noticed within a short time. (Because it may take some time for the WEB Cache Server to synchronize pages with the physical server)

Conclusion: There is no material available before this year's reselling. Sorry ~!