[dns-operations] Question about logger querys with registers points to 127.0.0.1
Eduardo Romero Urra
eromerou at interior.gov.cl
Wed Oct 14 16:03:47 UTC 2015
I've a logging the named querys on one of public resolver server (ISP) , but after researching we detect some querys that are logged as generated seems itlsef as '127.0.0.1' address, in some of cases the query points to a hostname that resolves also as '127.0.0.1', for example:
28-Sep-2015 09:09:21.528 client 127.0.0.1#28082: query: f5-hk01.gtm.lenovo.com IN A -E
N on-authoritative answer:
Not always the querys points to resolv host with result '127.0.0.1' , but the strange is the origen marked as localhost came from, and always logs using "EDNS mechanism" ( -E ), previously came from a regular query, for example
05-Sep-2015 01:32:20.756 client some-ip-public-client.(188.8.131.52)#53347: query: news.lawsorsing.com IN A +
05-Sep-2015 01:32:20.766 client some-ip-public-client.(184.108.40.206)#34024: query: news.lawsorsing.com IN A +
and few seconds later, the "local query" are generated:
05-Sep-2015 01:32:21.160 client 127.0.0.1#25468: query: news.lawsorsing.com IN A -E
05-Sep-2015 01:32:21.161 client 127.0.0.1#2345: query: news.lawsorsing.com IN A -E
Someone could explain this please, because the last lines "alone" could made a false positive that the server maybe compromise because are generating query itself. I've suppose that EDNS mechanism could be the cause.
The situation is very common with '*.gtm.lenovo.com' GTM sites .
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations