Bogus LOOPBACK A RR {Scanned}

Mark Andrews Mark_Andrews at isc.org
Sun Mar 20 22:59:14 UTC 2005 

> Hi,
> 
> I just found something very concerning in my log files whereby my primary 
> name server seems to have added a loopback (localhost) address which is NOT 
> owned by us. Can someone please tell me more details on what the following 
> lines mean and if I should be concerned with it:
> 
> ns_forw: query(29.192.115.200.IN-ADDR.ARPA) Bogus LOOPBACK A RR 
> (localhost:127.0.0.1) learnt (A=localhost:NS=200.115.192.29): 1 Time(s)
> ns_forw: query(29.192.115.200.IN-ADDR.ARPA) No possible A/AAAA RRs: 1 
> Time(s)
> 
> And more important how to prevent my name servers from allowing outsiders to 
> add localhost records to my servers?
> 
> Thanks,
> 
> SW 

	The 192.115.200.IN-ADDR.ARPA has a bogus NS RRset.  It should be

	192.115.200.IN-ADDR.ARPA. NS NS1.TELECENTRO.COM.AR.
	192.115.200.IN-ADDR.ARPA. NS NS2.TELECENTRO.COM.AR.

	not

	192.115.200.IN-ADDR.ARPA. NS localhost.

	The messages just say that named has detected the condition and
	is skipping the nameserver and after skipping the nameserver there
	were no other nameservers to try.

	You got this message because you attempted to lookup a second
	reverse entry in the zone and named attempted to use the cached
	NS record returned with the first query.

	The administrator, mmarinzulich at TELECENTRO.COM.AR, has been Bcc'd.

	Mark

; <<>> DiG 9.3.1 <<>> ptr 29.192.115.200.IN-ADDR.ARPA @NS2.TELECENTRO.COM.AR
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23998
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;29.192.115.200.IN-ADDR.ARPA.	IN	PTR

;; ANSWER SECTION:
29.192.115.200.IN-ADDR.ARPA. 604800 IN	PTR	ns1.telecentro.com.ar.

;; AUTHORITY SECTION:
192.115.200.IN-ADDR.ARPA. 604800 IN	NS	localhost.

;; ADDITIONAL SECTION:
localhost.		604800	IN	A	127.0.0.1

;; Query time: 379 msec
;; SERVER: 200.115.192.30#53(200.115.192.30)
;; WHEN: Mon Mar 21 09:48:09 2005
;; MSG SIZE  rcvd: 119

> -------------------------------------------------
>         WPPi.com        |        WPPi.Net
> -------------------------------------------------
>   http://www.wppi.com   |  http://www.wppi.net
> -------------------------------------------------
> WPPi.com & WPPi.Net MailScanner Signature
> This message has been scanned for viruses
> and dangerous content by WPPi MailScanner,
> and has been found to be clean.
> -------------------------------------------------
> 
> 
> 
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list