This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Please have a look at this screenshot.

http://i.imgur.com/0rqCt.png?1

I am wondering why a local netbios query would result in a outside Colorado based IP being returned.

Thanks,

Pluribus

asked 03 Jun '12, 12:54

pluribus's gravatar image

pluribus
1446
accept rate: 0%


That's down to the name resolution done by IP 192.168.1.1, possibly your router. The two A records returned are 69.16.143.110 and 184.106.15.239 and neither of them seem to have much to do with the name "WORKGOUP" which comes from the default workgroup for a non-domain windows machine.

Wireshark shows the subsequent SYN requests with destination "WORKGROUP" due to the A records returned by the preceding DNS queries populating the name cache.

Edit

The IP addresses returned from the query are due to the user's ISP hijacking dns queries for unknown hosts. TimeWarner / RoadRunner dumbness.

permanent link

answered 03 Jun '12, 13:47

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 04 Jun '12, 01:47

Thanks for the rapid reply. I am not sure I understood fully.

In a nutshell are you saying the events are not related to a lookup for "workgroup?"

Is this normal behavior that I am just not grasping?

(03 Jun '12, 13:54) pluribus

Also when i do a

ping workgroup PING workgroup (69.16.143.110) 56(84) bytes of data.

why would my DNS server resolve the word "workgroup" to anything? I am confused.


I just got it, this is part of my ISP advertising, all unknown names return this landing page at 69.16.143.110.

Ok one mystery solved, time to edit resolv.conf to something a little better like 8.8.8.8

(03 Jun '12, 14:00) pluribus

Looks a little odd to me, why is your dns resolver returning those A records? Does the machine at 192.168.1.1 run a full dns resolver or is it just forwarding queries?

(03 Jun '12, 14:01) grahamb ♦

192.168.1.1 is a wireless router. If you navigate the the IP it is sort of like an ad for the ISP. So, if I ping anything at all with no TLD it will resolve to that IP. It is odd imo too, the 192.168.1.1 has no DNS server enabled on it. When I changed /etc/resolv.conf to read 8.8.8.8 instead of localhost the issue went away. Now when i "ping workgroup" i get the message "unknown host."

If any behavior seems odd please let me know what tests I can run because I have def been having strange expriences on the network lately including a lot of BAD TCP traffic and some other alarming traffic.

(03 Jun '12, 14:06) pluribus

That'll be an ISP "enhancement" then, that instead of returning "unknown host" as required, they instead return the IP address of a landing page to throw advertising at you.

Searching for "DNS landing page" will get you many similar complaints. What is your ISP?

(03 Jun '12, 14:11) grahamb ♦

timewarner / roadrunner

btw to test it, i changed my router's DNS servers to opendns and google.

now when i ping workgroup I get this

PING workgroup (67.215.65.132) 56(84) bytes of data. 64 bytes from hit-nxdomain.opendns.com (67.215.65.132): icmp_req=1 ttl=51 time=15.7 ms 64 bytes from hit-nxdomain.opendns.com (67.215.65.132): icmp_req=2 ttl=51 time=15.0 ms

(03 Jun '12, 14:33) pluribus

That IP is another landing page, if you pop it into your browser, same idea. "Enhancement" , not unlike the rootkit enhancement know as computrace that has been put on millions of computers sold by HP. Dell. Lenovo, etc. All infected with a lojack device from Absolute Software that can be turned into a trojan by an attacker. Gotta love the manufactured consent of all these wonderful enchancement.

Thanks to wireshark I am finding and eliminating all these enhancements one at a time.

(03 Jun '12, 14:33) pluribus

those "enhancements" are a key feature of opendns. They try to filter your DNS requests for typos, malware sites and other things. Based on the result they will return an IP address of a landing page (malware, unknown host, etc.) or the right web site (typo). It's kind of a managed, enhanced DNS. Some people love it, some hate it ;-) However, the behaviour of your ISP is plain dumb. Resolving a single host query (not a FQDN) to an external landing page is a really bad idea and calls for trouble.

(04 Jun '12, 01:27) Kurt Knochner ♦
showing 5 of 8 show 3 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×80
×36
×12

question asked: 03 Jun '12, 12:54

question was seen: 4,770 times

last updated: 04 Jun '12, 01:47

p​o​w​e​r​e​d by O​S​Q​A