Bogus LOOPBACK A RR {Scanned}
Mark Andrews
Mark_Andrews at isc.org
Sun Mar 20 22:59:14 UTC 2005
> Hi,
>
> I just found something very concerning in my log files whereby my primary
> name server seems to have added a loopback (localhost) address which is NOT
> owned by us. Can someone please tell me more details on what the following
> lines mean and if I should be concerned with it:
>
> ns_forw: query(29.192.115.200.IN-ADDR.ARPA) Bogus LOOPBACK A RR
> (localhost:127.0.0.1) learnt (A=localhost:NS=200.115.192.29): 1 Time(s)
> ns_forw: query(29.192.115.200.IN-ADDR.ARPA) No possible A/AAAA RRs: 1
> Time(s)
>
> And more important how to prevent my name servers from allowing outsiders to
> add localhost records to my servers?
>
> Thanks,
>
> SW
The 192.115.200.IN-ADDR.ARPA has a bogus NS RRset. It should be
192.115.200.IN-ADDR.ARPA. NS NS1.TELECENTRO.COM.AR.
192.115.200.IN-ADDR.ARPA. NS NS2.TELECENTRO.COM.AR.
not
192.115.200.IN-ADDR.ARPA. NS localhost.
The messages just say that named has detected the condition and
is skipping the nameserver and after skipping the nameserver there
were no other nameservers to try.
You got this message because you attempted to lookup a second
reverse entry in the zone and named attempted to use the cached
NS record returned with the first query.
The administrator, mmarinzulich at TELECENTRO.COM.AR, has been Bcc'd.
Mark
; <<>> DiG 9.3.1 <<>> ptr 29.192.115.200.IN-ADDR.ARPA @NS2.TELECENTRO.COM.AR
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23998
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;29.192.115.200.IN-ADDR.ARPA. IN PTR
;; ANSWER SECTION:
29.192.115.200.IN-ADDR.ARPA. 604800 IN PTR ns1.telecentro.com.ar.
;; AUTHORITY SECTION:
192.115.200.IN-ADDR.ARPA. 604800 IN NS localhost.
;; ADDITIONAL SECTION:
localhost. 604800 IN A 127.0.0.1
;; Query time: 379 msec
;; SERVER: 200.115.192.30#53(200.115.192.30)
;; WHEN: Mon Mar 21 09:48:09 2005
;; MSG SIZE rcvd: 119
> -------------------------------------------------
> WPPi.com | WPPi.Net
> -------------------------------------------------
> http://www.wppi.com | http://www.wppi.net
> -------------------------------------------------
> WPPi.com & WPPi.Net MailScanner Signature
> This message has been scanned for viruses
> and dangerous content by WPPi MailScanner,
> and has been found to be clean.
> -------------------------------------------------
>
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list