Some more progress:
What with all the gracious and informed help of Magic Banana, the extent of
multi-addressed PTR records
is becoming ever clearer. I collected all the PTR records from the
never-looked-up IPv6 addresses which
I found for January 2020, that had two or more addresses resolving to the
same PTR. Then I applied these
randomization techniques to the upper level fields of those IPv6 addresses,
truncated thusly:
field01:field02::/32, field01:field02:field03::/48,
field01:field02:field03:field04::/64, or sometimes
field01:field02::0000/112 or even field01:field02::field07:0000/112, and then
adjusting the parameters
of the randomization scripts to process a number of similar scripts as a
batch so as to limit the number
of IPv6 addresses to be resolved to about 10 million and the address file to
less than 150MB.
The end result: All of the multi-addressed PTR records this evaluated had
more than a thousand additional
addresses in the same CIDR blocks as those ones recorded for their IPv6
addresses, with some extending to
a million or more addresses, all for the same-named PTR record.
The next step in this procedure is to bring together the many additional
singly addressed PTR records in
the published recent visitor data so as to to find out which among them has
been similarly obfuscated.
One CIDR block which appeared to be essentially _all_ one PTR name last week
was shut off and unavailable
over the weekend, back in service on Monday, and further populated on
Wednesday, indicating that it is
being used dynamically to obfuscate sensitive payloads stored behind that
unresolvably recorded PTR.
George Langford
P.S. You can do this analysis at home without setting foot outdoors. There
are other months from which
to choose, extending back into ancient history, before the 2016 U.S.
election, or even to the present, i.e.,
though March 2020.
