[Dshield] reverse DNS pointing to localhost ?

John Hardin jhardin at impsec.org
Fri Dec 12 18:52:37 GMT 2008

On Fri, 12 Dec 2008, Stephane Grobety wrote:

> The actual source IP address had nothing to do with any of the ones on 
> the server:
> I did a reverse on that IP and got
> PTR-record for
>    Points to = localhost
>    TTL = 67739 (18 hours, 48 minutes, 59 seconds)

Configuring reverse DNS to return "localhost" is possible. It probably 
indicates a hostile netblock; at the very least it indicates an 
incompetent DNS admin.

> It seems that, somehow, the IPS log subsystem replaced "localhost" in 
> the log by the server host name.

Yeah. Windows Vista (SP1 only, I think - I couldn't repro just now on SP2) 
and, in my testing at the time, Windows Server 2003, sees that and 
helpfully substitutes the local machine's name.


Is your IPS running on Vista or WS2003? You might want to make sure its OS 
patches are up-to-date.

  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin at impsec.org    FALaholic #11174     pgpk -a jhardin at impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
   It is not the place of government to make right every tragedy and
   woe that befalls every resident of the nation.
  3 days until Bill of Rights day

More information about the Dshield mailing list