A UA declaring a known crawler (Googlebot/Bingbot/…) whose IP fails forward-confirmed reverse DNS
net.fake_declared_crawler · convicts
What it catches
Forward-confirmed reverse DNS (FCrDNS) is the crawlers' OWN documented verification method: a real Googlebot/Bingbot/Applebot/etc. connects from an IP whose PTR record resolves under the crawler's official domain (e.g. *.googlebot.com) AND that host's forward A/AAAA records include the connecting IP. The edge runs this check (uaHasKnownH2Order sibling — fingerprint.VerifyCrawler) only for a UA that DECLARES a known crawler, and emits network.fake_declared_crawler ONLY on a DEFINITIVE failure: no PTR record, a PTR under no official crawler suffix (an impersonator), or a matching host that does not forward-confirm the IP. A transient resolver error (SERVFAIL/timeout) ABSTAINS — a real crawler is never convicted on a flaky lookup. FP-safe by construction: a genuine crawler always confirms (that is what FCrDNS is for), so the only thing that fires is a non-crawler IP wearing a crawler UA — a clear impersonation. CONVICTING (coherence): the network identity contradicts the declared UA. EXPERIMENTAL until grounded against a live resolver in deployment (the edge ships with net.DefaultResolver; tests inject a stub). Complements the existing UA-vs-wire coherence family for the DECLARED-crawler abuse case (fake-Googlebot scrapers, a common allow-list bypass) rather than the real-browser-faking case the rest of the ruleset targets. Capability sourced from the GreyNoise GNQL gap analysis (actor + rdns_validated facets); see docs/research-radar.md.
Signals it reads
network.fake_declared_crawler
How it fires
present
Bypassed by 10
Frontier evaders that reach the detector uncaught (scored only suspicious, defeating every convicting tell) — this check is not one that stops them. The red-team frontier this detection still has to convict.