[Dshield] reverse DNS pointing to localhost ?

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Fri Dec 12 19:11:41 GMT 2008


On Fri, 12 Dec 2008 10:14:49 +0100, Stephane Grobety said:

> PTR-record for 252.51.30.123.in-addr.arpa:
>     Points to = localhost
>     TTL = 67739 (18 hours, 48 minutes, 59 seconds)

> Anyone got an explanation ?

It's pretty straightforward.  The sequence of events:

1) You get a packet from 123.30.51.252.

2) You (or your firewall) goes to look up the hostname by chasing the PTR.

3) You get an answer back from the bunch running PTR for that address:

;; ANSWER SECTION:
252.51.30.123.in-addr.arpa. 61567 IN    PTR     localhost.

;; AUTHORITY SECTION:
30.123.in-addr.arpa.    61567   IN      NS      vdc-hn01.vnn.vn.
30.123.in-addr.arpa.    61567   IN      NS      hcm-server1.vnn.vn.

(looks like a provider in Vietnam).

Just be glad the PTR owner didn't *really* screw with your mind by poining
it at www.whitehouse.gov or something.  There's no real sanity checking
done.

This is *also* why paranoid software will take the results of that PTR
lookup, look *that* up, and verify that the name has a A record that matches
the original address.

With the above info in hand, you *should* be able to figure out what *really*
happened in this classic posting:

http://homes.cerias.purdue.edu/~spaf/classes/CS690E/mail/msg00104.html

(Yes, I got Louis' posting when it happened, and did the traceroutes,
and it really *WAS* showing what he said.  A true WTF? moment. ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/list/attachments/20081212/5312d423/attachment.bin 


More information about the Dshield mailing list