I have 2 Windows Server 2008 R2 DNS Servers which share the domain xyz.wan and reside in the 192.168.50.0/24 subnet of my network. Connected via IPSec VPN site-to-site are some other subnets (192.168.51.0/24, .52.0/24, etc.) which have their own reverse-lookup zones in Microsoft DNS.
Recently my servers began behaving strangely by resolving ALL addresses NOT in DNS (e.g. some static client on a remote site with no DNS record) to the own name, server1.xyz.wan, instead of showing the IP in Windows-perfmon.
Now I found out, that if I do a nslookup on either one of the 2 servers and enter some IP I don't even use, like 192.168.111.111, the other server responds with "localhost".
The DNS resolving works like a charm for everything in the domain. I also traced the packets with Wireshark:
192.168.50.161 192.168.50.163 DNS 88 Standard query PTR 111.111.168.192.in-addr.arpa
192.168.50.163 192.168.50.161 DNS 111 Standard query response PTR localhost
Can someone point me in the right direction of what is going on here? I just can't figure it out.
I would expect this to be a wildcard record in a reverse zone. Either it's a reverse zone that you manage, or your queries are leaking up to your upstream nameservers (probably your ISP) and the response is coming from there.
If the wildcard record were on your end, you'd find something along the lines of the following in the most applicable
X.168.192.in-addr.arpa.
zone:Since you would have been likely to spot this, it's probably more likely that 1) a corresponding
in-addr.arpa.
zone does not exist for the IP in question, and 2) the query is leaking to the upstream nameservers. You can confirm whether this is the case by running the strange reverse queries directly against them. (bypassing your local nameservers)This would not be the first time that an ISP has unusual reverse DNS data that they are exposing to their customers needlessly.