[dns-operations] Question about logger querys with registers points to 127.0.0.1

Eduardo Romero Urra eromerou at interior.gov.cl
Wed Oct 14 16:03:47 UTC 2015


Hi, 

I've a logging the named querys on one of public resolver server (ISP) , but after researching we detect some querys that are logged as generated seems itlsef as '127.0.0.1' address, in some of cases the query points to a hostname that resolves also as '127.0.0.1', for example: 


28-Sep-2015 09:09:21.528 client 127.0.0.1#28082: query: f5-hk01.gtm.lenovo.com IN A -E 

N on-authoritative answer: 
Name: f5-hk01.gtm.lenovo.com 
Address: 127.0.0.1 

Not always the querys points to resolv host with result '127.0.0.1' , but the strange is the origen marked as localhost came from, and always logs using "EDNS mechanism" ( -E ), previously came from a regular query, for example 


05-Sep-2015 01:32:20.756 client some-ip-public-client.(1.2.3.4)#53347: query: news.lawsorsing.com IN A + 
05-Sep-2015 01:32:20.766 client some-ip-public-client.(1.2.3.4)#34024: query: news.lawsorsing.com IN A + 

and few seconds later, the "local query" are generated: 

05-Sep-2015 01:32:21.160 client 127.0.0.1#25468: query: news.lawsorsing.com IN A -E 
05-Sep-2015 01:32:21.161 client 127.0.0.1#2345: query: news.lawsorsing.com IN A -E 

Someone could explain this please, because the last lines "alone" could made a false positive that the server maybe compromise because are generating query itself. I've suppose that EDNS mechanism could be the cause. 

The situation is very common with '*.gtm.lenovo.com' GTM sites . 


Regards 
Eduardo. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151014/81d0d2b9/attachment.html>


More information about the dns-operations mailing list