too much dns connections without using browser

pedropt · 11-01-2018, 06:03 PM

Here it is the situation , i have a server using static ip and configured to call the dns requests not on my isp dns name server but other on the web .
i installed iftop to monitor connections on server , when i started it i see too much connections to my router gateway ip on port 53 , normally if i was accessing a website then this was a natural procedure , but thew most funny thing is that server is idle , but when i say a lot i mean really a lot of connections to 192.168.1.1:53 .
From the time i wrote this message at least 100 requests were made , and i took 3 minutes to write it .

How can i stop this procedure , or changing the configuration on my server to connect to 192.168.1.1:53 if necessary and not every 1 second ?

This procedure starts and takes 4 minutes without stopping , and then stop for a minute or 2 and then restart again for more 4 minutes .

An image showing the connections , this wont stop for +- 4 minutes
https://i.postimg.cc/K8RhYqJx/dns.jpg

berndbausch · 11-01-2018, 07:43 PM

Do you know which process issues these connection requests? Use

Code:

# ss -lup

(or netstat instead of ss) to find out.

pedropt · 11-02-2018, 12:56 PM

here it is the thing , netstat is unable to get those requests because they dont stay too much time alive and besides that dns requests are in UDP .
However i was able to capture the packets using tcpdump and this is what i got :

Quote:

router.home.domain > mail.home.14884: 5166| 6/0/0 TXT "MS=ms43658033", TXT "MS=ms83965111", TXT "facebook-domain-verification=ahz9csaiqrgqxhn2x1oddr1nj10ulk", TXT "google-site-verification=CHbdKXB3WSx31n7KYA9Iqw18sAKzTlJubzY_B-c3lVA", TXT "globalsign-domain-verification=AoB9OaMeIK4jzB0vbN2MEuWVvbXvVExmcN8sDk7lLe", TXT "v=spf1 include:_spf.icontact.com include:spf.protection.outlook.com ip4:66.162.193.226/31 ip4:65.123.29.213/32 ip4:65.123.29.220/32 include:4638697.spf08.hubspotemail.net ~all" (509)
router.home.domain > mail.home.53829: 9197| 3/0/0 TXT "docusign=11f01284-dffc-40f9-8d56-57e5261ede3f", TXT "448e0dc03e935ecf66d81f1ce3c26b2f2fea13756c031ffc4be91749107f3a79", TXT "v=spf1 ip4:199.101.162.0/25 ip4:108.174.3.0/24 ip4:108.174.6.0/24 ip4:108.174.0.0/24 ip6:2620:109:c00d:104::/64 ip6:2620:109:c006:104::/64 ip6:2620:109:c003:104::/64 ip6:2620:119:50c0:207::/64 ip4:199.101.161.130 mx mx:docusign.net ~all" (414)
mail.home.9136 > router.home.domain: Flags [S], seq 907892230, win 42340, options [mss 1460,sackOK,TS val 16964253 ecr 0,nop,wscale 11], length 0

So , as far as i could see , the requests are in transit on my isp router , probably from another router in the same lan , but somehow my email server is receiving the data too .

router.home.domain = My isp router
mail.home = my server

scasey · 11-02-2018, 01:24 PM

Please use [code] tags, not [quote] tags, when posting output. They will preserve the layout and prevent the line wrapping.

I see IPs from Vocus, Inc. and AT&T in that output. Also evidence of email from LinkedIn.

Are you running your own name server? Is it the authoritative name server for your domain?

pedropt · 11-02-2018, 03:02 PM

No Scasey , this is just an email server .
My domain reedirects traffic to my server ip .
But the most strange thing is that this is dns requests or anything else that i am not aware .
That log is just a bit of what i post , because instagram is also there in the dump and a lot of other websites that i never connect to them or my server have anything related to them .
I am unable to block port 53 on firewall or server will not work .

here it is the latest dump :

This only happens in received stuff from port 53 on isp router to random ports on mail server , however the mail server does not respond to this stuff , but somehow this dns communications do not appear as established connections because they wont stay alive too much time .
Also in netstat everything is normal .
https://pastebin.com/rMSkjJPM

Habitual · 11-02-2018, 03:27 PM

Quote:

Originally Posted by pedropt

but somehow this dns communications do not appear as established connections because they wont stay alive too much time .

That is the nature of UDP.

Is UDP:53 necessary for dns?

pedropt · 11-02-2018, 03:45 PM

yes , it is necessary because when the server makes a dns request it uses port 53 .
Example :
You write google.com , the dns request opens port 53 to check witch ip have the domain google.com and send it to server .

My server uses amavis , spamassassin witch when an ip connects to email port , then it checks if that ip is ok or not at spamzaus and barracuda servers .
There are a few protections on the server .
Last time i blocked port 53 on the firewall i had issues restarting the network interface .

The big problem here is that i have no idea witch program in server is calling some dns requests .

Exaples from that dump :

Quote:

20:10:50.605679 IP mail.home.20260 > router.home.domain: 16810+ TXT? constantcon tact.com. (37)

In this example the server asks for constantcontact.com !????

Is there any tool in linux similar to netstat where i can grab the service making these connections ?
because some are legit but others i believe they are not .
And i dont have avahi-daemon installed , because if i had it then i believe it would be worst .

scasey · 11-02-2018, 03:56 PM

I don't see anything unusual here.
You've configured spamassassin to check incoming mail at RBLs...that uses DNS.
It looks like you're doing SPF checks...that uses DNS. Those TXT responses are about SPF checking, mostly.

Are you seeing any performance issues because of these queries? I really don't see anything to be concerned about.

pedropt · 11-02-2018, 04:13 PM

no , there is no perfomance issues , but these dns calls make me crazy because when i am monitoring the server established connections i dont see a reason for those requests .
1 thing is an ip connect to server and then server asks information about that ip reputation .
Other thing is not a single ip connected and the dns requests start all over again .

pedropt · 11-03-2018, 07:04 PM

well i will not put this thread as solved until i first try a few things .
Maybe tommorow i will shutdown all server services and see if this continue .
I am really curious to know from where this came from , and i hardly believe that is related to server services , because some of them uses facebook and instagram and even adobe where none of them are related to ips connecting to the server , or its services .
I`ll be back soon , and in mean while if any of you know any good tool like netstat but to capture udp diagrams and what is the service behind it then let me know , so i can test it here .

Thanks

pedropt · 11-04-2018, 02:30 AM

it looks that it is really related to spamassassin , however the checks that it is making are not related to emails i probably would receive , mostly because my email is private and only a few subjects have it .
So my guess is that this is spamassassin updating its rules or whatever .