PC calling DNS nameserver every 10 seconds
I have 4 computers all using Ubuntu 12.04 all set up similarly but one of them is continuously calling the DNS nameserver every 10 or 20 seconds (not sure from the logs) but the network monitor is showing activity in/out every 10. Syslog says 20 and that it is a kernel notification.
I've tried blocking it with ufw but that hasn't given me any clue. Wireshark shows the source as IntelCor_<hex> and comparing it with the other 3 computers hasn't helped. Looking at running processes with top hasn't helped either. Anybody have any other ideas before I rebuild this one? |
Quote:
Code:
xterm -T TCPdump +sb -g 80x45 -e sudo tcpdump -q -t -i eth0 |
Thanks for the suggestion. Tried that but it didn't tell me anything new. I know it's going out to port 53 on the nameserver which I have listed in resolv.conf (the 3 other computers are set up this way and don't do this). If I block the calls with ufw it lists the protocol as ICMP in the syslog. Just knowing what is initiating the calls would be halfway to solving it.
I noticed while checking with top in the command column http was listed which it isn't in the other computers. |
Quote:
Quote:
Quote:
Quote:
Code:
pgrep httpd|xargs -iX lsof -Pwlnp 'X' -a -i |
From wireshark:
"2","2.231526","192.168.1.6","85.214.20.141","DNS","68","Standard query AAAA hostname" "3","2.276354","85.214.20.141","192.168.1.6","DNS","143","Standard query response, No such name" "4","2.276566","192.168.1.6","85.214.20.141","DNS","68","Standard query A hostname" "5","2.321918","85.214.20.141","192.168.1.6","DNS","143","Standard query response, No such name" From syslog with all outgoing blocked by the firewall: Feb 19 08:40:13 HP-dv2500 kernel: [ 1652.209510] [UFW BLOCK] IN= OUT=eth0 SRC=192.168.1.6 DST=85.214.20.141 LEN=54 TOS=0x00 PREC=0x00 TTL=64 ID=10372 DF PROTO=UDP SPT=40135 DPT=53 LEN=34 Feb 19 08:40:33 HP-dv2500 kernel: [ 1672.210942] [UFW BLOCK] IN= OUT=eth0 SRC=192.168.1.6 DST=85.214.20.141 LEN=54 TOS=0x00 PREC=0x00 TTL=64 ID=15372 DF PROTO=UDP SPT=53249 DPT=53 LEN=34 Not sure when I saw it as ICMP so best ignore that for now. You're quite right that doesn't make any sense. Looking at running processes with top it was http I saw periodically, anyway neither pgrep nor netstat produce any output, http may have nothing to do with this, I don't know. I'll check out netfilter and post any useful findings. Thanks |
Quote:
If you (still?) have your packet capture then simply filter for UDP in Wireshark (or read it with 'tcpdump -r') and it should show you which host names it tries to resolve. That should give you some indication of what's going on. |
Soved
First off, thanks for all the help and suggestions. From all the analysing I came to the conclusion there was nothing basically wrong with my install but that something was trying to get out. This got me looking at my home directory.
What I eventually did in the end was rather less technical but effective nonetheless, I backed up my .mozilla (firefox) profile and my .thunderbird (email) profile and deleted them. The spurious network traffic stopped on deleting the thunderbird profile. So it rather looks like something has crept in to my email profile, I will investigate thunderbird further just in case it's not just the profile. I thought perhaps I was getting a little paranoid but it does look like something was going on. Thanks guys. |
All times are GMT -5. The time now is 02:11 PM. |