The Country of Vietnam Resolves to Localhost

I don&#x27;t quite understand what this means: &quot;out of the nearly 5 million banners in Shodan for Vietnam 1.5 million of them resolve to localhost.&quot; &quot;there are a total of 1,528,188 banners in Shodan that resolve to localhost&quot;.<p>I can gather that this is the company Shodan, and that they make reports regarding internet connected devices, but what is a &#x27;banner&#x27; is this instance?

&gt; every customer&#x27;s IP resolves back to localhost<p>What does this even mean?<p>First of all, what does it mean than an IP resolves to a hostname? I thought it&#x27;s the otherway around: hostnames resolve to IPs.<p>Second, isn&#x27;t this .. normal? localhost is always your local machine.<p>Please help me understand

Can someone explain how this link has made it to number one on the front page, when it seems from the comments that no one understands what the page is saying?

Based on some very rough sampling, a significant majority of the addresses allocated to VDC in the 123.16&#x2F;16 network reverse resolve to localhost. This appears to be intended behavior, and accounts for ~70% of the numbers in the Shodan report.<p><pre><code> $ dig @8.8.8.8 -x 123.16.0.0 ; &lt;&lt;&gt;&gt; DiG 9.8.3-P1 &lt;&lt;&gt;&gt; @8.8.8.8 -x 123.16.0.0 ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 29897 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;0.0.16.123.in-addr.arpa. IN PTR ;; ANSWER SECTION: 0.0.16.123.in-addr.arpa. 21265 IN PTR localhost. ;; Query time: 64 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Feb 18 08:14:37 2015 ;; MSG SIZE rcvd: 64 $ </code></pre> In fact, if you go through the list of networks advertised by AS45899 [1], I imagine that you&#x27;d find this is the case for quite a few of them. A quick look indicates this to be true.<p>[1]: <a href="http://bgp.he.net/AS45899#_prefixes" rel="nofollow">http:&#x2F;&#x2F;bgp.he.net&#x2F;AS45899#_prefixes</a>

I don&#x27;t know what they are referring to. I noticed that Vietnam Posts and Telecommunications Group owns 123.30.128.0&#x2F;18 and 203.162.0.0&#x2F;23 and a lot of IPs from those subnets have a PTR record of static.vdc.vn.<p>However, static.vdc.vn resolves to 203.162.0.78, not 127.0.0.1<p>There is another large network, 113.160.0.0&#x2F;113.191.255.255 that seems to have PTR records of static.vnpt-hanoi.com.vn for all IPs, however that hostname has no A&#x2F;AAAA record.<p>Pretty sloppy.<p>Looks like this has nothing to do with DNS, instead it&#x27;s the hostname the machine displays in its banners for services like FTP or SSH.

VN here. It&#x27;s hostname of DNS server. I traced route to any domain and got the server IP.<p><a href="http://www.ip-tracker.org/locator/ip-lookup.php?ip=113.165.176.1" rel="nofollow">http:&#x2F;&#x2F;www.ip-tracker.org&#x2F;locator&#x2F;ip-lookup.php?ip=113.165.1...</a><p>BTW, I don&#x27;t know why they did that.

Banner here seems to refer to the &#x27;banner&#x27; output of ssh, or telnet, or some other service (those are the most likely however imho).<p>When you connect over services, the banner (the first information presented to the client, before authentication) can be configured to include the &#x27;hostname&#x27; setting of the server you have connected to.<p>If I am right about that, this means that the hostname setting of the server is still set to localhost, as it is default out of the box until configured.

It&#x27;s an old-known vulnerability (2009) used to bypass spam-filters: <a href="http://www.mounirorfi.com/blog/2015/02/18/why-vietnam-resolves-to-localhost/" rel="nofollow">http:&#x2F;&#x2F;www.mounirorfi.com&#x2F;blog&#x2F;2015&#x2F;02&#x2F;18&#x2F;why-vietnam-resolv...</a>

I don&#x27;t know who the target audience is but I think the author should include a small parenthesis explaining &quot;banner&quot;. I thought it was referring to their software crawling ad banners online or something.

Do you mean reverse DNS? Can you provide an example?

May be there are some bugs in shodan&#x27;s tracking system that always return &quot;localhost&quot;

Is &quot;banner&quot; an unusual translation of... hostname, i guess? I don&#x27;t get it.

How do “<i>banners in Shodan [...] resolve to localhost</i>”??? WTF??? This is quite cryptic. Luckily, I live not on Shodan, but on planet Earth where `localhost` resolves to 127.0.0.1.

can anyone explain is that significant or funny?

Can someone explain me what I have just read ?