[dns-operations] Question about logger querys with registers points to 127.0.0.1

Robert Edmonds edmonds at mycre.ws
Wed Oct 14 20:43:04 UTC 2015 

"f5-hk01.gtm.lenovo.com" is one of the nameservers for the
gtm.lenovo.com zone.  "-" in the named query log indicates a
non-recursive query (RD bit cleared), and "E" indicates a query that
uses EDNS.  That sounds like the kind of query that would be sent by a
(modern) recursive DNS server looking up a name under the gtm.lenovo.com
zone rather than a query sent by a tool like nslookup, but it's
interesting that such a query was sent to your nameserver (and by
something running on the machine itself), rather than being sent to the
Lenovo nameservers.

It sounds like you have something that initiates DNS queries that is not
the nameserver itself running on the same machine as the nameserver.
You might try checking to see if there are any processes that might be
the culprit using tools like ps, netstat, lsof, etc., or possibly you
might have some exotic firewall rules installed that cause your
nameserver to receive DNS queries from source address 127.0.0.1.

Eduardo Romero Urra wrote:
> Hi, 
> 
> I've a logging the named querys on one of public resolver server (ISP) , but after researching we detect some querys that are logged as generated seems itlsef as '127.0.0.1' address, in some of cases the query points to a hostname that resolves also as '127.0.0.1', for example: 
> 
> 
> 28-Sep-2015 09:09:21.528 client 127.0.0.1#28082: query: f5-hk01.gtm.lenovo.com IN A -E 
> 
> N on-authoritative answer: 
> Name: f5-hk01.gtm.lenovo.com 
> Address: 127.0.0.1 
> 
> Not always the querys points to resolv host with result '127.0.0.1' , but the strange is the origen marked as localhost came from, and always logs using "EDNS mechanism" ( -E ), previously came from a regular query, for example 
> 
> 
> 05-Sep-2015 01:32:20.756 client some-ip-public-client.(1.2.3.4)#53347: query: news.lawsorsing.com IN A + 
> 05-Sep-2015 01:32:20.766 client some-ip-public-client.(1.2.3.4)#34024: query: news.lawsorsing.com IN A + 
> 
> and few seconds later, the "local query" are generated: 
> 
> 05-Sep-2015 01:32:21.160 client 127.0.0.1#25468: query: news.lawsorsing.com IN A -E 
> 05-Sep-2015 01:32:21.161 client 127.0.0.1#2345: query: news.lawsorsing.com IN A -E 
> 
> Someone could explain this please, because the last lines "alone" could made a false positive that the server maybe compromise because are generating query itself. I've suppose that EDNS mechanism could be the cause. 
> 
> The situation is very common with '*.gtm.lenovo.com' GTM sites . 
> 
> 
> Regards 
> Eduardo. 

-- 
Robert Edmonds

More information about the dns-operations mailing list