News
:
This forum is now permanently frozen.
m0n0wall Forum
>
m0n0wall Support (English)
>
Services
Topic: receiving random DNS queries from m0n0wall's port 53
Pages: [
1
]
Topic: receiving random DNS queries from m0n0wall's port 53 (Read 2363 times)
receiving random DNS queries from m0n0wall's port 53
« on: November 16, 2008, 05:13:45 »
brgangoo
Posts: 13
I have noticed that one of my computers behind m0n0wall has been
receiving
sending random DNS queries every 5 seconds for non-existing domain names (e.g. etihxdxh.com or dxiitidd.com). They are always 8 letters long.
I've captured these packets in Wireshark and it appears that
they originate from
they target the m0n0wall box (192.168.1.1:53) and are
destined to
originating from the desktop (192.168.1.198:various ports). No other computer behind the same firewall (same subnet) receive these packets. Antivirus software hasn't picked anything suspicious on this desktop either. Any ideas what could be going on? Is this somehow related to the DNS poisoning vulnerability that came to light earlier this year?
My current configuration in m0n0wall:
WAN: HSI (cable); IP received via DHCP
DNS forwarding is enabled
DNS servers: manually entered in Level3 nameservers (4.2.2.2 and 4.2.2.3).
My ISP nameservers seem to pass on even more DNS "garbage" to my computer... all sorts of request's for non-existing domains.
p53.PNG
(67.2 KB, 1041x809 - viewed 290 times.)
«
Last Edit: November 23, 2008, 07:20:06 by brgangoo
»
Re: receiving random DNS queries from m0n0wall's port 53
« Reply #1 on: November 18, 2008, 20:02:49 »
cmb
Posts: 851
Your computer has to be initiating that, m0n0wall won't just randomly send a bunch of NXDOMAIN DNS replies.
Re: receiving random DNS queries from m0n0wall's port 53
« Reply #2 on: November 23, 2008, 07:15:56 »
brgangoo
Posts: 13
Silly me...I did not recognise that I had it backwards when explaining the situation. It does appear that the suspected computer initiates the DNS requests.
However, I cannot pinpoint the cause for these requests. This is a Winxp box and I have checked to see running background processes with 'netstat -ano' command:
tcp 0.0.0.0:xxxx to 0.0.0.0:0
port 135 - svchost.exe (network service)
port 445 - System
port 5729 - services.exe
port 5734 - services.exe
udp 0.0.0.0:xxxx to *:*
port 445 - System
Antivirus and antispyware do not detect anything suspicious nor am I aware of any advisories that show similar symptoms. Any ideas what could be initiating these requests?
dns.PNG
(54.1 KB, 911x668 - viewed 254 times.)
«
Last Edit: November 23, 2008, 07:25:36 by brgangoo
»
Re: receiving random DNS queries from m0n0wall's port 53
« Reply #3 on: November 23, 2008, 19:07:56 »
knightmb
Posts: 341
It might be some home brew virus/trojan or a malfunctioning windows service. Home brew virus/trojan won't be found in any anti-virus scanner because it's not popular enough for their definitions. A bad windows service could be running in the background doing things it shouldn't.
It's tough to say given the info.
Radius Service for m0n0wall Captive Portal -
http://amaranthinetech.com
Pages: [
1
]