💾 Archived View for clehaxze.tw › gemlog › 2023 › 01-14-re-dns-oddity.gmi captured on 2023-03-20 at 17:42:10. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

RE: DNS oddity

Saw JBanana's gemlog yesterday about a weird phenomenon with DNS. Namely in the logs, the IP address 127.0.0.1 got logs as some Brazillian domain name. And the resolver runs in a NAT so no external entity could access it. Thus there mush be some issue somewhere.

I have an HTTP demon running locally. It's behind a NAT router, so it shouldn't receive requests from the internet. The stats the requests with IPs translated to names. I noticed a Brazillian host name listed which seems like it shouldn't be possible.

JBanana's original post - DNS oddity

I hope I can provide some insight into this. I'm not a DNS expert, but I managed my college's network while I was a student. Here's what I think is happening. It happen a few times to me. Hopefully I'm not wrong.

There's no enough data to decern what's causing the oddity in the post. However, usually (> 99.9% of cases) web logs uses revers DNS lookup to provide the hostname of the client. This is an _old_ mechanism by essentially someone storing a `PTR` record on their DNS server to map IP to a domain name. AFAIK this was an quick anti-spam method used by mail servers. Needless to say, this is not secure at all. What likely happens in this case is the Brazillian domain operator (or your ISP) misconfigured their PTR record and set that to 127.0.0.1. And the reverse lookup by the local DNS found that.

Usually, most systems set `localhost` in their `/etc/hosts` file, or whatever the equivalent is on Windows. And the reverse lookup prioritize that over the DNS server. It's possible that JBanana doesn't have localhost setup in that way. Instead the local DNS is getting lookup requests for `localhost.` and returning 127.0.0.1 as a safe bet. Thus everything happens to work. But that could be un-implmented for reverse lookup. Thus the weirdness.

It's quick to confirm. Check `/etc/hosts` and run `dig -x 127.0.0.1` on your local DNS server. If it returns the Brazillian domain name, then that's the cause. If not, some deeper config checking and debugging is needed.

Again, reverse lookup is not secure, don't trust the result.