[Dshield] reverse DNS pointing to localhost ?

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Fri Dec 12 19:11:41 GMT 2008

On Fri, 12 Dec 2008 10:14:49 +0100, Stephane Grobety said:

> PTR-record for
>     Points to = localhost
>     TTL = 67739 (18 hours, 48 minutes, 59 seconds)

> Anyone got an explanation ?

It's pretty straightforward.  The sequence of events:

1) You get a packet from

2) You (or your firewall) goes to look up the hostname by chasing the PTR.

3) You get an answer back from the bunch running PTR for that address:

;; ANSWER SECTION: 61567 IN    PTR     localhost.

30.123.in-addr.arpa.    61567   IN      NS      vdc-hn01.vnn.vn.
30.123.in-addr.arpa.    61567   IN      NS      hcm-server1.vnn.vn.

(looks like a provider in Vietnam).

Just be glad the PTR owner didn't *really* screw with your mind by poining
it at www.whitehouse.gov or something.  There's no real sanity checking

This is *also* why paranoid software will take the results of that PTR
lookup, look *that* up, and verify that the name has a A record that matches
the original address.

With the above info in hand, you *should* be able to figure out what *really*
happened in this classic posting:


(Yes, I got Louis' posting when it happened, and did the traceroutes,
and it really *WAS* showing what he said.  A true WTF? moment. ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/list/attachments/20081212/5312d423/attachment.bin 

More information about the Dshield mailing list