# hosts try to use external dns instead of local



## kondziq (Jun 18, 2010)

Hi, 

My FreeBSD server uses dhcpd and gives everyone DNS address of 192.168.1.1 (itself). If I'll nslookup something it answers from my FreeBSD box which is fine. Everyting basically works, but I keep getting this in my pf logs: 

```
15:01:41.340224 rule 0/0(match): block in on rl1: 192.168.1.24.36389 > 192.36.148.17.53: [|domain]
15:01:42.340224 rule 0/0(match): block in on rl1: 192.168.1.24.36390 > 192.203.230.10.53: [|domain]
15:01:43.341032 rule 0/0(match): block in on rl1: 192.168.1.24.36390 > 192.203.230.10.53: [|domain]
15:01:44.341259 rule 0/0(match): block in on rl1: 192.168.1.24.36391 > 192.58.128.30.53: [|domain]
15:01:45.341334 rule 0/0(match): block in on rl1: 192.168.1.24.36391 > 192.58.128.30.53: [|domain]
15:01:46.341194 rule 0/0(match): block in on rl1: 192.168.1.24.36392 > 192.5.5.241.53: [|domain]
15:01:47.341327 rule 0/0(match): block in on rl1: 192.168.1.24.36392 > 192.5.5.241.53: [|domain]
15:01:54.839945 rule 0/0(match): block in on rl1: 192.168.1.24.36393 > 192.5.5.241.53: [|domain]
15:01:55.840137 rule 0/0(match): block in on rl1: 192.168.1.24.36393 > 192.5.5.241.53: [|domain]
15:01:56.840138 rule 0/0(match): block in on rl1: 192.168.1.24.36394 > 192.36.148.17.53: [|domain]
15:01:57.840101 rule 0/0(match): block in on rl1: 192.168.1.24.36394 > 192.36.148.17.53: [|domain]
```
It tries to connect to different addresses every single second every time it's on. Now why would it do that ? Why does it try to query some external address instead of local? This person uses www mainly, and has no problems whatsoever. His 'ipconfig /all' shows DNS of 192.168.1.1. Any ideas what might be going on there ?

Thanks, 
K.


----------



## SirDice (Jun 18, 2010)

Those are root servers. Are you sure that machine isn't running it's own DNS server?


----------



## kondziq (Jun 18, 2010)

Pretty sure. That's a laptop and it's owner does not even know what DNS is, so i really doubt he's using some sort of fancy apps. I wonder though if the software he uses (perhaps some wierd browser) could force using external DSN. I need to underline as well that the addresses you see above are only few examples. There are tons of other as well. 

Thanks,
K.


----------



## SirDice (Jun 18, 2010)

Make sure the DNS server on 192.168.1.1 is configured properly too. If they're windows clients make sure they're not set to use preferred DNS servers. This will overrule anything set by DHCP.


----------



## DutchDaemon (Jun 18, 2010)

What OS is running on it? Does it have a resolv.conf? Do the DHCP settings show up in relevant configuration files? Does he actually use DHCP, or is the .24 address configured manually?


----------



## kondziq (Jun 18, 2010)

> If they're windows clients make sure they're not set to use preferred DNS servers. This will overrule anything set by DHCP.


You mean if they don't have DNS put manually ? 



> What OS is running on it?


XP



> Does it have a resolv.conf?


hm... not that im aware of



> Do the DHCP settings show up in relevant configuration files?


What files for example ? If I type in 'ipconfig /all' everything looks good.



> Does he actually use DHCP, or is the .24 address configured manually?


dhcp for sure.

K.


----------



## SirDice (Jun 18, 2010)

The preferred DNS servers are set in the TCP/IP configuration. If those are set they will overrule DHCP. But then they would also show up with 'ipconfig /all'.

Try using tcpdump to capture that DNS traffic. Perhaps you can get some clues if you know what those clients are trying to resolve.


----------



## kondziq (Jun 18, 2010)

The above is copied from tcpdump actually. It looks exactly the same in logs. 
I run this:


```
tcpdump -n -e -i pflog0
```

K.


----------



## DutchDaemon (Jun 18, 2010)

Try bigger snap length and more verbose output:

`tcpdump -XXXX -s 0 -pnli pflog0`


----------



## kondziq (Jun 18, 2010)

Wow.. no idea how to read this thing  


```
17:12:35.841617 IP 192.168.1.24.40488 > 192.203.230.10.53: 16433 A? wpalux.com. (28)
        0x0000:  3d02 0100 726c 3100 0000 0000 0000 0000  =...rl1.........
        0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0000 ffff ffff ffff ffff  ................
        0x0030:  a086 0100 0000 0000 8fd0 0000 0100 0000  ................
        0x0040:  4500 0038 0001 0000 8011 d21d c0a8 0118  E..8............
        0x0050:  c0cb e60a 9e28 0035 0024 8cbc 4031 0000  .....(.5.$..@1..
        0x0060:  0001 0000 0000 0000 0677 7061 6c75 7803  .........wpalux.
        0x0070:  636f 6d00 0001 0001                      com.....
17:12:36.843280 IP 192.168.1.24.40488 > 192.203.230.10.53: 16433 A? wpalux.com. (28)
        0x0000:  3d02 0100 726c 3100 0000 0000 0000 0000  =...rl1.........
        0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0000 ffff ffff ffff ffff  ................
        0x0030:  a086 0100 0000 0000 8fd0 0000 0100 0000  ................
        0x0040:  4500 0038 0002 0000 8011 d21c c0a8 0118  E..8............
        0x0050:  c0cb e60a 9e28 0035 0024 8cbc 4031 0000  .....(.5.$..@1..
        0x0060:  0001 0000 0000 0000 0677 7061 6c75 7803  .........wpalux.
        0x0070:  636f 6d00 0001 0001                      com.....
17:12:37.844698 IP 192.168.1.24.40489 > 192.33.4.12.53: 16434 A? wpalux.com. (28)
        0x0000:  3d02 0100 726c 3100 0000 0000 0000 0000  =...rl1.........
        0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0000 ffff ffff ffff ffff  ................
        0x0030:  a086 0100 0000 0000 8fd0 0000 0100 0000  ................
        0x0040:  4500 0038 0003 0000 8011 b4c4 c0a8 0118  E..8............
        0x0050:  c021 040c 9e29 0035 0024 6f63 4032 0000  .!...).5.$oc@2..
        0x0060:  0001 0000 0000 0000 0677 7061 6c75 7803  .........wpalux.
        0x0070:  636f 6d00 0001 0001                      com.....
17:12:38.866100 IP 192.168.1.24.40489 > 192.33.4.12.53: 16434 A? wpalux.com. (28)
        0x0000:  3d02 0100 726c 3100 0000 0000 0000 0000  =...rl1.........
        0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0000 ffff ffff ffff ffff  ................
        0x0030:  a086 0100 0000 0000 8fd0 0000 0100 0000  ................
        0x0040:  4500 0038 0004 0000 8011 b4c3 c0a8 0118  E..8............
        0x0050:  c021 040c 9e29 0035 0024 6f63 4032 0000  .!...).5.$oc@2..
        0x0060:  0001 0000 0000 0000 0677 7061 6c75 7803  .........wpalux.
        0x0070:  636f 6d00 0001 0001                      com.....
```
Hope that will tell you more that it told me ;] If you want more I have 5 minutes sample in a txt file I can upload to ftp. 

Thanks,
K.


----------



## DutchDaemon (Jun 18, 2010)

Something is endlessly trying to get an A record for wpalux.com, which is a non-existing domain. It does sound a bit spammy though. Has this host recently been disinfected / de-trojaned, etc.? Something may be trying to fly under the radar here.


----------



## kondziq (Jun 18, 2010)

Well, this is a laptop with probably very old system, although using some antivirys soft. Anyway, what I'll do is get that laptop and perhaps try to find some infections. 

Thanks for help, need to go now and catch a flight back to UK, lol. I'll drop another msg tomorrow when I'm back home and will get my hands on that possibly infected machine. 

Thanks again, 
K.


----------



## SirDice (Jun 18, 2010)

DutchDaemon said:
			
		

> Something is endlessly trying to get an A record for wpalux.com, which is a non-existing domain. It does sound a bit spammy though. Has this host recently been disinfected / de-trojaned, etc.? Something may be trying to fly under the radar here.



Yes, that sounds quite plausible. 

Should be quite interesting though. It would mean the malware uses it's own resolving mechanism. Circumventing the one used by the system. Winsock programming isn't that different from bsd sockets so APIs that do name resolving use the hosts file and the configured DNS servers. 

But hardly surprising. Malware has been bypassing the configured mailserver and delivering mail itself for years now.


----------

