0

I'm looking for a solution to an obscure problem. For security policy reasons we have a workstation using PeerBlock with a block list that essentially blacklists the entire internet, and then an allow list for a handful of IPs we deem ok.

This particular workstation has one piece software on it that is supported by an external company, and their remote support tool of choice is Teamviewer. We've had many "discussions" about using an alternative package and suffice to say, they won't budge, and I don't have the power to change that. So now I need to find a way to whitelist teamviewer.

According to the Teamviewer KB:

...we are unable to provide a list of our server IPs. However, all of our IP addresses have PTR records that resolve to *.teamviewer.com

So now I'm wondering if I can use the PTR records to somehow scrape through and pull out all of the subdomains used along with their associated IP addresses.

I have both a windows workstation and an ubuntu workstation available to me to periodically perform this task, so powershell or shell scripting are my preferred weapons of choice.

Is there a way to achieve what I'm trying to do? I've been looking at dig, but I can't quite get my head around it.

raicho
  • 103
  • 3

2 Answers2

1

I don't think you really want to do a complete reverse lookup on the interwebs so if possible take a look at tcp wrappers.

J ramdom
  • 11
  • 1
0

One possible avenue you might look into relies on the vendor having a formal IP block assignment from ARIN or the relevant IP registry for their geographic location. An informal assignment of IPs from their ISP might also be workable, but it will be slightly more difficult to find the boundaries of a block assigned informally by an ISP. Once such an IP range is known, you can confine your reverse lookup scraping to that block of IPs.

Given that they won't tell you what their IPs are, one way I can think of is to create a sample TeamViewer session and inspect the network traffic in and out of the target machine. That will give you probably just one IP number that TeamViewer might use. You can do a whois lookup on that IP to see whether it is part of a larger block, and then confine your PTR scraping to that netblock.

This is still not the best solution, IMO. It's certainly not much fun, and worse, it's fragile. First, there's no guarantee that the IP netblock you find is the only one they use. Also, if TeamViewer changes IPs on their servers, YOUR stuff is likely to break, so you're at their mercy in the sense that a change they could make at any time, which they aren't obligated to notify you of, could cause your configuration to fail with no advance notice.

As @Jramdom says, better is to find a tcp wrappers-like solution, which will do the reverse lookup for you. This will have several benefits. First, your system will have to lookup only one IP at a time, and that lookup won't be done until it is needed. That results in a second benefit that these reverse lookups will always be using data from the most recent DNS information published by TeamViewer, not from a scraping run that may be many months old. A TCP wrapper will look up the PTR record at the moment of the connection and check to see if it matches *.teamviewer.com. This makes your setup more resilient to changes that TeamViewer might make, provided that they update their reverse DNS whenever they change server IPs.

Jim L.
  • 655
  • 4
  • 11