RE: DNS oddity

Saw JBanana's gemlog yesterday about a weird phenomenon with DNS. Namely in the logs, the IP address 127.0.0.1 got logs as some Brazillian domain name. And the resolver runs in a NAT so no external entity could access it. Thus there mush be some issue somewhere.

I have an HTTP demon running locally. It's behind a NAT router, so it shouldn't receive requests from the internet. The stats the requests with IPs translated to names. I noticed a Brazillian host name listed which seems like it shouldn't be possible.

JBanana's original post - DNS oddity

I hope I can provide some insight into this. I'm not a DNS expert, but I managed my college's network while I was a student. Here's what I think is happening. It happen a few times to me. Hopefully I'm not wrong.

There's no enough data to decern what's causing the oddity in the post. However, usually (> 99.9% of cases) web logs uses revers DNS lookup to provide the hostname of the client. This is an old mechanism by essentially someone storing a PTR record on their DNS server to map IP to a domain name. AFAIK this was an quick anti-spam method used by mail servers. Needless to say, this is not secure at all. What likely happens in this case is the Brazillian domain operator (or your ISP) misconfigured their PTR record and set that to 127.0.0.1. And the reverse lookup by the local DNS found that.

Usually, most systems set localhost in their /etc/hosts file, or whatever the equivalent is on Windows. And the reverse lookup prioritize that over the DNS server. It's possible that JBanana doesn't have localhost setup in that way. Instead the local DNS is getting lookup requests for localhost. and returning 127.0.0.1 as a safe bet. Thus everything happens to work. But that could be un-implmented for reverse lookup. Thus the weirdness.

It's quick to confirm. Check /etc/hosts and run dig -x 127.0.0.1 on your local DNS server. If it returns the Brazillian domain name, then that's the cause. If not, some deeper config checking and debugging is needed.

Again, reverse lookup is not secure, don't trust the result.

Author's profile. Photo taken in VRChat by my friend Tast+
Martin Chang
Systems software, HPC, GPGPU and AI. I mostly write stupid C++ code. Sometimes does AI research. Chronic VRChat addict

I run TLGS, a major search engine on Gemini. Used by Buran by default.


  • marty1885 \at protonmail.com
  • Matrix: @clehaxze:matrix.clehaxze.tw
  • Jami: a72b62ac04a958ca57739247aa1ed4fe0d11d2df