PC calling DNS nameserver every 10 seconds

jonhen · 02-18-2013, 04:24 PM

I have 4 computers all using Ubuntu 12.04 all set up similarly but one of them is continuously calling the DNS nameserver every 10 or 20 seconds (not sure from the logs) but the network monitor is showing activity in/out every 10. Syslog says 20 and that it is a kernel notification.

I've tried blocking it with ufw but that hasn't given me any clue. Wireshark shows the source as IntelCor_<hex> and comparing it with the other 3 computers hasn't helped. Looking at running processes with top hasn't helped either.

Anybody have any other ideas before I rebuild this one?

teckk · 02-18-2013, 05:10 PM

Quote:

continuously calling the DNS nameserver every 10 or 20 seconds

That sounds normal. Run tcpdump and see who it's talking to. Use you own term and eth device. Something like

Code:

xterm -T TCPdump +sb -g 80x45 -e sudo tcpdump -q -t -i eth0

jonhen · 02-19-2013, 05:00 AM

Thanks for the suggestion. Tried that but it didn't tell me anything new. I know it's going out to port 53 on the nameserver which I have listed in resolv.conf (the 3 other computers are set up this way and don't do this). If I block the calls with ufw it lists the protocol as ICMP in the syslog. Just knowing what is initiating the calls would be halfway to solving it.

I noticed while checking with top in the command column http was listed which it isn't in the other computers.

unSpawn · 02-19-2013, 07:18 AM

Quote:

Originally Posted by jonhen

continuously calling the DNS nameserver every 10 or 20 seconds

What is the actual host name the machine looks up continuously? (Since the machine as you say continuously calls the name server you could also tally requests by running 'dnstop' on the name server if you have access to it.)

Quote:

Originally Posted by jonhen

I know it's going out to port 53 on the nameserver which I have listed in resolv.conf (the 3 other computers are set up this way and don't do this). If I block the calls with ufw it lists the protocol as ICMP in the syslog.

That does not make any sense at all. Please post output.

Quote:

Originally Posted by jonhen

Just knowing what is initiating the calls would be halfway to solving it.

Netfilter allows you to filter traffic by UID using the "owner" module. Example here. If the machine runs the audit service check this.

Quote:

Originally Posted by jonhen

I noticed while checking with top in the command column http was listed which it isn't in the other computers.

Is it "http" or "httpd"? Anyway, just list what it does:

Code:

pgrep httpd|xargs -iX lsof -Pwlnp 'X' -a -i
# or
netstat -antupe | egrep "($(pgrep httpd -d "|"))"

jonhen · 02-19-2013, 09:30 AM

From wireshark:

"2","2.231526","192.168.1.6","85.214.20.141","DNS","68","Standard query AAAA hostname"
"3","2.276354","85.214.20.141","192.168.1.6","DNS","143","Standard query response, No such name"
"4","2.276566","192.168.1.6","85.214.20.141","DNS","68","Standard query A hostname"
"5","2.321918","85.214.20.141","192.168.1.6","DNS","143","Standard query response, No such name"

From syslog with all outgoing blocked by the firewall:

Feb 19 08:40:13 HP-dv2500 kernel: [ 1652.209510] [UFW BLOCK] IN= OUT=eth0 SRC=192.168.1.6 DST=85.214.20.141 LEN=54 TOS=0x00 PREC=0x00 TTL=64 ID=10372 DF PROTO=UDP SPT=40135 DPT=53 LEN=34
Feb 19 08:40:33 HP-dv2500 kernel: [ 1672.210942] [UFW BLOCK] IN= OUT=eth0 SRC=192.168.1.6 DST=85.214.20.141 LEN=54 TOS=0x00 PREC=0x00 TTL=64 ID=15372 DF PROTO=UDP SPT=53249 DPT=53 LEN=34

Not sure when I saw it as ICMP so best ignore that for now. You're quite right that doesn't make any sense.

Looking at running processes with top it was http I saw periodically, anyway neither pgrep nor netstat produce any output, http may have nothing to do with this, I don't know.

I'll check out netfilter and post any useful findings.

Thanks

unSpawn · 02-19-2013, 03:30 PM

Quote:

Originally Posted by jonhen

From wireshark:

Code:

"2","2.231526","192.168.1.6","85.214.20.141","DNS","68","Standard query AAAA hostname"
"3","2.276354","85.214.20.141","192.168.1.6","DNS","143","Standard query response, No such name"
"4","2.276566","192.168.1.6","85.214.20.141","DNS","68","Standard query A hostname"
"5","2.321918","85.214.20.141","192.168.1.6","DNS","143","Standard query response, No such name"

Common practice for SOHO LAN machines (behind CPE configured for residential use) is not to resolve any host names themselves but to forward questions to the providers name servers who then do recursion. Your LAN host is asking one name server (specifically the FoeBuD one, mentioned in the CCC DNS HOWTO) to resolve a host name. This means it must have been explicitly configured to send its questions there. Quad A's are IPv6 records meaning the LAN client doesn't have IPv6 disabled.

If you (still?) have your packet capture then simply filter for UDP in Wireshark (or read it with 'tcpdump -r') and it should show you which host names it tries to resolve. That should give you some indication of what's going on.

jonhen · 02-20-2013, 11:58 AM

First off, thanks for all the help and suggestions. From all the analysing I came to the conclusion there was nothing basically wrong with my install but that something was trying to get out. This got me looking at my home directory.

What I eventually did in the end was rather less technical but effective nonetheless, I backed up my .mozilla (firefox) profile and my .thunderbird (email) profile and deleted them. The spurious network traffic stopped on deleting the thunderbird profile. So it rather looks like something has crept in to my email profile, I will investigate thunderbird further just in case it's not just the profile.

I thought perhaps I was getting a little paranoid but it does look like something was going on.

Thanks guys.