Solved Weird DNS resolution

Solved issue

banderas20

Member
Joined
Aug 1, 2018
Messages
96
Reaction score
39
Credits
746
Hi!

I made a mistake writing an URL, and instead of writing domain.org, i typed domain.es. My browser pointed to my localhost, showing the Apache welcome page, since I have apache2 installed.

If I run dig or nslookup to domain.es, I get:

Code:
;; ANSWER SECTION:
domain.es.        7056    IN    A    127.0.0.1

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: dom abr 30 18:14:02 CEST 2023
;; MSG SIZE  rcvd: 55

If I ping domain.org, I get the first request from 127.0.0.1.

When I run resolvectl status, my DNS server is the default gateway 192.168.1.1. I have nothing set in my hosts file, neither.

So my question is, who has resolved domain.es to my own machine? :confused:

Thanks!
 


Sometimes people point a domain to localhost to later change to something else. Most likely the person has access to the dns server hosting the domain, you can find out what nameserver hosts the domain by requesting the nameservers.
Code:
dig -t ns domain.es
 
Hi.

The thing is that I type domain.es in the URL bar and it takes me back to my client machine. It's a strange behaviour.....

Indeed, If I run dig -t ns domain.es I get a different result.


Code:
;; ANSWER SECTION:
domain.es.        7175    IN    NS    ns1.sedoparking.com.
domain.es.        7175    IN    NS    ns2.sedoparking.com.

Why is that so?

Thanks!
 
Those are the two nameservers of domain.es, so whoever has access to the dns panel of the hosting provider where for the domain can change(add/edit) records there. It's not a big deal that it's pointing to localhost as said before, sometimes locahost is used as a placeholder for domains and they later replace it with a real ip.
 
/etc/nsswitch determines the order things get resolved in.

Usually it's files first, then dns. Sometimes that gets reversed.
 
@f33dm3bits , I get that. The placeholder explanation. But if that was the case, they would be diverted to localhost from the server side. And instead I'm seeing my own homepage. What if I didn't have Apache installed in my client machine? :(

@Rob , that's the first thing I checked. I have 2 lines. None of them about domain.es

@dos2unix here's the content of nsswitch:

Code:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files systemd
group:          files systemd
shadow:         files
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns mymachines
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Thank!
 
@f33dm3bits , I get that. The placeholder explanation. But if that was the case, they would be diverted to localhost from the server side. And instead I'm seeing my own homepage. What if I didn't have Apache installed in my client machine? :(
domain.es resolves to 127.0.0.1(localhost) since you have apache running when you go to domain.es in your browser it will try to resolve it and try to load a webpage. Since you have apache installed and running and you have no virtualhost configured apache will load the the first page it can load. Which goes in alphabetical order in your case that would be the welcome page, if you stopped or removed apache that page would not load anymore because of nothing being run on port 80.
 
The doubt is: who resolves to 127.0.0.1?
The dns server hosting the domain.es domain since you said you have not added it to your /etc/hosts file.
 
Sorry to ask a dumb question, but are we discussing an actual domain called "domain.es"? Especially the word, "domain"? ... or is it some random domain name like "acustomdomainhere.es" ?

For the record, I cannot replicate any of the issues above from a variety of systems when I look at "domain.es". The IP address for domain.es always comes up "80.92.65.144" and the authoritative nameservers are ns1.eurodns.com - ns4.eurodns.com.

This smells like a DNS configuration issue to me. Keep in mind that it could be an upstream DNS forwarder and not something that is locally configured.
 
Sorry to ask a dumb question, but are we discussing an actual domain called "domain.es"? Especially the word, "domain"? ... or is it some random domain name like "acustomdomainhere.es" ?

For the record, I cannot replicate any of the issues above from a variety of systems when I look at "domain.es". The IP address for domain.es always comes up "80.92.65.144" and the authoritative nameservers are ns1.eurodns.com - ns4.eurodns.com.

This smells like a DNS configuration issue to me. Keep in mind that it could be an upstream DNS forwarder and not something that is locally configured.
Hi. No worries. It's not domain.es literally. It's pandora.es. But it only happens with that word. I have grepped my entire /etc/ dir to see if I have hardcoded it somewhere, without results.

Thanks everyone!
 
Hi. No worries. It's not domain.es literally. It's pandora.es. But it only happens with that word. I have grepped my entire /etc/ dir to see if I have hardcoded it somewhere, without results.

Thanks everyone!
I get the same thing when requesting an answer.
Code:
;; ANSWER SECTION:
pandora.es.        7198    IN    A    127.0.0.1
So it's configured on the nameservers of that domain that it should be resolved to localhost.
 
Last edited:
I found the same thing:

$ host pandora.es
pandora.es has address 127.0.0.1
pandora.es mail is handled by 0 localhost.

The nameservers for pandora.es are "ns1.sedoparking.com" and "ns2.sedoparking.com". The "sedoparking" implies to me that it is a parked domain that is not in active use.
 
When I 'whois pandora.es' I get this message:

This TLD has no whois server, but you can access the whois database at

Well, I've studied a great deal of Grecian history. We all kinda remember the story of Pandora and her box. What we often forget is that the Greeks were pretty sure fate was the answer. Because of this, and this is what is often forgotten or not even mentioned, there was one item left in the box. That item was hope. Humans could have it all, except for hope ('cause, fate).

So, if this situation seems hopeless, you now know why...

Now, I did find an online site that would let me whois the domain name.


That site gives me the information that is above, like the nameservers. Anywhere else I try (and I tried a few, plus locally through my terminal) gives me no information.

Even a recent nameserver change (can take a while to propagate, days even) wouldn't explain this.
 


Top