Public domains and hosts resolving to 127.0.0.1

Question

Our security systems are going crazy alerting us that hundreds of external DNS queries and responses are resolving to addresses like 127.0.0.1 and sometimes 0.0.0.0 to requests originating from our internal network.

Should I ignore this? Even public NSLOOKUP utilities are also showing the same result.

yagmoth555 · Answer 1 · 2015-08-10T16:07:32.093

0

Use a working DNS forwarder in your DNS server. (like 8.8.8.8 or your ISP DNS), and be sure your pc all use only your internal DNS server.

Flush the cache on your server and computer after

Edited:

After testing with a domain in error from my side it still resolve to 127.0.0.1. So now I think someone tried to protect itself from a DoS, and configured the local loopback in the DNS's entry as a attempt to un-route unwanted traffic. Nothing we can change for those DNS entry. So yes, I would ignore those warning if the machine that do the lookup are virus clean, as I would ask myself why the computer try to go there.

edited Aug 10 '15 at 16:07

answered Aug 01 '15 at 12:52

yagmoth555

16,300
4
26
48

We are already doing that. All endpoints are sending the requests to an internal DNS server which in turn forwards their external requests to an edge DNS server which forwards these requests to the ISP and back. – security_obscurity Aug 01 '15 at 13:22
wins or some local host file problem ? – yagmoth555 Aug 01 '15 at 16:43
Even from outside they're resolving to the same 127 addresses. – security_obscurity Aug 02 '15 at 02:11
@security_obscurity What dns name you try ? – yagmoth555 Aug 02 '15 at 03:59
Try for example img.mixplay.tv – security_obscurity Aug 02 '15 at 04:33
@security_obscurity From my ISP it answer 127.0.0.1 as of today. So now I think someone tried to protect itself from a DoS, and configured the local loopback as a attempt to un-route unwanted traffic. Will update my answer – yagmoth555 Aug 10 '15 at 16:05

Public domains and hosts resolving to 127.0.0.1

1 Answers1