News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Services
linktree Topic: receiving random DNS queries from m0n0wall's port 53
Pages: [1]
Topic: receiving random DNS queries from m0n0wall's port 53  (Read 2363 times)
« on: November 16, 2008, 05:13:45 »
brgangoo *
Posts: 13
I have noticed that one of my computers behind m0n0wall has been receiving sending random DNS queries every 5 seconds for non-existing domain names (e.g. etihxdxh.com or dxiitidd.com).  They are always 8 letters long.

I've captured these packets in Wireshark and it appears that they originate from they target the m0n0wall box (192.168.1.1:53) and are destined to originating from the desktop (192.168.1.198:various ports).  No other computer behind the same firewall (same subnet) receive these packets.  Antivirus software hasn't picked anything suspicious on this desktop either.  Any ideas what could be going on?  Is this somehow related to the DNS poisoning vulnerability that came to light earlier this year?

My current configuration in m0n0wall:

WAN:  HSI (cable); IP received via DHCP
DNS forwarding is enabled
DNS servers:  manually entered in Level3 nameservers (4.2.2.2 and 4.2.2.3).

My ISP nameservers seem to pass on even more DNS "garbage" to my computer... all sorts of request's for non-existing domains.

* p53.PNG (67.2 KB, 1041x809 - viewed 290 times.)
« Last Edit: November 23, 2008, 07:20:06 by brgangoo »
« Reply #1 on: November 18, 2008, 20:02:49 »
cmb *****
Posts: 851
Your computer has to be initiating that, m0n0wall won't just randomly send a bunch of NXDOMAIN DNS replies.
« Reply #2 on: November 23, 2008, 07:15:56 »
brgangoo *
Posts: 13
Silly me...I did not recognise that I had it backwards when explaining the situation.  It does appear that the suspected computer initiates the DNS requests.

However, I cannot pinpoint the cause for these requests.  This is a Winxp box and I have checked to see running background processes with 'netstat -ano' command:

tcp 0.0.0.0:xxxx to 0.0.0.0:0
port 135 - svchost.exe (network service)
port 445 - System
port 5729 - services.exe
port 5734 - services.exe

udp 0.0.0.0:xxxx to *:*
port 445 - System

Antivirus and antispyware do not detect anything suspicious nor am I aware of any advisories that show similar symptoms.  Any ideas what could be initiating these requests?

* dns.PNG (54.1 KB, 911x668 - viewed 254 times.)
« Last Edit: November 23, 2008, 07:25:36 by brgangoo »
« Reply #3 on: November 23, 2008, 19:07:56 »
knightmb ****
Posts: 341
It might be some home brew virus/trojan or a malfunctioning windows service.  Home brew virus/trojan won't be found in any anti-virus scanner because it's not popular enough for their definitions.  A bad windows service could be running in the background doing things it shouldn't.

It's tough to say given the info.
Radius Service for m0n0wall Captive Portal - http://amaranthinetech.com
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines