Reverse lookup queries to 127.0.0.1 sent upstream

Butschi · May 6, 2025, 2:39pm

I was wondering why my personal firewall was asking me to allow ICMP packets to a public IPv4 address (45.76.93.104) from a remote access software client (that I only ever use to connect to private network ip addresses on a LAN or via VPN).

A reverse lookup shows the IP belongs to Vultr (?) and the associated domain name resolves to localhost via an A record pointing at 127.0.0.1. Great!

$dig 45.76.93.104.vultrusercontent.com @8.
8.8.8

; <<>> DiG 9.10.6 <<>> 45.76.93.104.vultrusercontent.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47154
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;45.76.93.104.vultrusercontent.com. IN	A

;; ANSWER SECTION:
45.76.93.104.vultrusercontent.com. 900 IN CNAME	vultrusercontent.com.
vultrusercontent.com.	900	IN	A	127.0.0.1

;; Query time: 1097 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May 06 11:20:39 CEST 2025
;; MSG SIZE  rcvd: 92

Pi-hole logs showed this:

2025-date 10:57:37.638 forwarded 127.0.0.1 to 9.9.9.9
2025-date 10:57:37.646 reply 127.0.0.1 is NXDOMAIN

2025-date 10:58:04.089 query[A] 45.76.93.104.vultrusercontent.com from 192.168.x.x
2025-date 10:58:04.091 forwarded 45.76.93.104.vultrusercontent.com to 9.9.9.9
2025-date 10:58:04.159 reply 45.76.93.104.vultrusercontent.com is <CNAME>
2025-date 10:58:04.160 reply vultrusercontent.com is 127.0.0.1

So I guess my question is: Shouldn't Pi-hole prevent reverse lookups of 127.0.0.1 to upstream DNS servers or is there any legitimate reason for this lookup? Am I missing something here?

Ladrien · May 6, 2025, 6:12pm

The person in charge of the DNS records for vultrusercontent.com has put 127.0.0.1 as the value for that A record. pi-hole is just relaying that information.

rdwebdesign · May 6, 2025, 6:29pm

The domain above is registered with 127.0.0.1:

Butschi · May 6, 2025, 9:45pm

Maybe I should rephrase my question: Is there any legitimate reason (that I might be missing) to do this (setting an A record to 127.0.0.1) other than laziness, bad practice or malicious intent? Or for a reverse lookup for 127.0.0.1 to be passed on to the public DNS system at all?

If there is not (and either way imo), would it not be reasonable for Pi-hole to prevent the passing on to upstream DNS servers of any reverse lookups to 127.0.0.x IPs? Maybe as an option to allow it for those who really want 127.0.0.1 to point to some (random or not) domain on their systems, although in this case a local DNS record could be assigned in Pi-hole ¯\_(ツ)_/¯.

Bucking_Horn · May 7, 2025, 1:06pm

That's not a reverse lookup - it's a no sensical lookup for a domain name of 127.0.0.1, which is forwarded on as any other non-blocked domain, and answered by NXDOMAIN.
A reverse lookup would look like:

query[PTR] 1.0.0.127.in-addr.arpa from 192.168.x.x

There could be, e.g. if that site would be involved in VPN / private relay operations - but ultimately, that would be a question for the maintainer's of vultrusercontent.com.