[Dshield] reverse DNS pointing to localhost ?
John Hardin
jhardin at impsec.org
Fri Dec 12 18:52:37 GMT 2008
On Fri, 12 Dec 2008, Stephane Grobety wrote:
> The actual source IP address had nothing to do with any of the ones on
> the server: 123.30.51.252
>
> I did a reverse on that IP and got
>
> PTR-record for 252.51.30.123.in-addr.arpa:
> Points to = localhost
> TTL = 67739 (18 hours, 48 minutes, 59 seconds)
Configuring reverse DNS to return "localhost" is possible. It probably
indicates a hostile netblock; at the very least it indicates an
incompetent DNS admin.
> It seems that, somehow, the IPS log subsystem replaced "localhost" in
> the log by the server host name.
Yeah. Windows Vista (SP1 only, I think - I couldn't repro just now on SP2)
and, in my testing at the time, Windows Server 2003, sees that and
helpfully substitutes the local machine's name.
http://www.nabble.com/-OT---rDNS-tomfoolery---%22localhost%22-td19885172.html
Is your IPS running on Vista or WS2003? You might want to make sure its OS
patches are up-to-date.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin at impsec.org FALaholic #11174 pgpk -a jhardin at impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
It is not the place of government to make right every tragedy and
woe that befalls every resident of the nation.
-----------------------------------------------------------------------
3 days until Bill of Rights day
More information about the Dshield
mailing list