[Dshield] reverse DNS pointing to localhost ?

John Hardin jhardin at impsec.org
Fri Dec 12 18:52:37 GMT 2008


On Fri, 12 Dec 2008, Stephane Grobety wrote:

> The actual source IP address had nothing to do with any of the ones on 
> the server: 123.30.51.252
>
> I did a reverse on that IP and got
>
> PTR-record for 252.51.30.123.in-addr.arpa:
>    Points to = localhost
>    TTL = 67739 (18 hours, 48 minutes, 59 seconds)

Configuring reverse DNS to return "localhost" is possible. It probably 
indicates a hostile netblock; at the very least it indicates an 
incompetent DNS admin.

> It seems that, somehow, the IPS log subsystem replaced "localhost" in 
> the log by the server host name.

Yeah. Windows Vista (SP1 only, I think - I couldn't repro just now on SP2) 
and, in my testing at the time, Windows Server 2003, sees that and 
helpfully substitutes the local machine's name.

http://www.nabble.com/-OT---rDNS-tomfoolery---%22localhost%22-td19885172.html

Is your IPS running on Vista or WS2003? You might want to make sure its OS 
patches are up-to-date.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin at impsec.org    FALaholic #11174     pgpk -a jhardin at impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   It is not the place of government to make right every tragedy and
   woe that befalls every resident of the nation.
-----------------------------------------------------------------------
  3 days until Bill of Rights day


More information about the Dshield mailing list