I was checking a proxied program for DNS leaks with tshark when I noticed this:
where [hostname] is the hostname of the machine the program and tshark are running on, 10.0.2.15 is the local machine, and 192.168.1.1 is the router.
Why does the computer look up its own hostname and how can I prevent this from leaking information about the computer?
Note that changing the hostname once is not useful since an (untrusted) proxy knows that it is the same computer connecting every time since the computer sends the same hostname.
asked 09 Feb '13, 10:13
edited 09 Feb '13, 10:14
Hard to say; you'd probably have to find out what program/service does this.
One explanation could be that you've turned on the network name resolution feature in the profile you're using, which will lead to tshark/Wireshark contacting the DNS server to find out FQDNs of IP addresses. Did you check if you can also see PTR record queries? Wireshark seems to do a A record query after a successfull PTR answer was received to verify if the information works both ways.
Depending on your OS you could try to find the program using a socket to connect to the DNS server, maybe using a tool like process monitor from Sysinternals. I tried it just now, and if you only let it show network activity and have Wireshark/tshark running at the same you can match port numbers to find the process that triggered the query. netstat might work too, but I doubt that the UDP port will be listed there long enough to get a good reading.
answered 09 Feb '13, 11:53