[Dshield] IP Class C resolving to "localhost"

Johannes Ullrich jullrich at euclidian.com
Sat Oct 25 17:25:19 GMT 2003

On Sat, 2003-10-25 at 10:59, Keith Bergen wrote:
> A user on our IRC network is joining and the IRC server is complaining
> because the IP address resolves to localhost.

Well, it is up to the owner of the IP address (in this case an ISP in 
Vietnam), to setup the reverse resolution from IP->hostname. 

There is a particular security lesson here: If you are logging host
names, you may not always be able to reverse the lookup. In particular
web servers frequently log host names. Not much you can do in this case
if the hostname just shows 'localhost'.

Another lesson is not to trust host names. They have to be validated
like all other user input. For example, if you are using a web based
log viewer, and the host name resolves into some kind of javasript??
(Patrick Nolan did a good writeup on this issue a while ago. See:
http://isc.incidents.org/analysis.html?id=182 )

There is probably not much the user can do. I am not sure why the
ISP would do this. Maybe just a bad setup? Or on purpose to avoid
some spam issues (e.g. users sending spam).

Typically, reverse and forward resolution should match. However, in
particular if an IP address hosts multiple web sites for example, this
may not always work both ways.

Mail servers in particular should 'match' to not run afoul some picky
spam filters.

Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net

More information about the list mailing list