This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I don’t know what I don’t know. Kindly in need of help:

0

I've been running a WAMPP (XP SP3) server over the years on the same static IP # in a non-commercial environment -- charities, family, non-profits, etc. -- using Joomla! CMS environs, even dating back to Mambo CMS days. Unfortunately I did not take the *nix route in the initial days of web server learning experience which has been costly in terms of security and vulnerability. My typical security/attack response is an after-the-attack damage control as opposed to successful prevention. This is largely due to my ignorance.

In short, I'm experiencing 'oddities' once again and ran Wireshark (newbie user) to find several dns (53) and other connections that are concerning (non-unicasts, etc.) and kindly hope one can offer me some insight. I use Comodo Secure DNS servers and at boot found these:

1   0.000000    192.168.2.103   156.154.70.22   DNS Standard query A 2o7.net
3   0.078757    192.168.2.103   156.154.70.22   DNS Standard query A hwcdn.net
5   0.121389    192.168.2.103   156.154.70.22   DNS Standard query A test.mockett.com
9   0.314756    192.168.2.103   156.154.70.22   DNS Standard query A host57.objectsciences.com (serveral objectsciences.com)
13  0.539002    192.168.2.103   156.154.70.22   DNS Standard query A RWTH-Aachen.DE
29  1.108054    192.168.2.103   156.154.70.22   DNS Standard query A nano2.dc.ukrtelecom.ua
and so on...Please pardon me for I don't know what I don't know but these queries look alarming to me. Thank you in advance - SL

asked 06 Oct '10, 13:20

Sandl's gravatar image

Sandl
1111
accept rate: 0%

edited 06 Oct '10, 13:51

Jaap's gravatar image

Jaap ♦
11.7k16101


2 Answers:

0

Hi Sandi...

The first step in determining if these truly are "oddities" is to identify the typical use of the domain names. For example, 2o7.net resolves for use by Adobe (see www.omniture.com/en/privacy/2o7?f=2o7). You can do some research on the domain names (or even do lookups by IP address using domaintools.com - I like this site and use it for traceback/reconnaissance work). hwcdn.net doesn't appear to be in use at the current time, however.

So... step 1 - is 156.154.70.22 the correct DNS server to go to? Step 2 - do some research on the domains to see if you can figure out why a client is looking for them. Step 3 - does your client connect/talk with the IP addresses offered in any DNS responses? Can you tell the purpose of that conversation (e.g., updating virus detection info).

I'll tell you that so many processes run automatically in the background that it often feel alarming when it's just normal "junk" - for example, I use Firefox with some plugins and when I launch my browser (not even looking at a site), the plugins connect to various sites to get updates. Messy, but harmless.

Regardless, better safe than sorry.

answered 06 Oct '10, 19:11

lchappell's gravatar image

lchappell ♦
1.2k2730
accept rate: 8%

... or use dns lookup tools like Network-Tools.com: http://network-tools.com/

(07 Oct '10, 01:43) joke

0

Please be aware that Wireshark itself does reverse lookups to show hostnames instead of IP addresses. For each packet it receives from a host it has not seen before, it will do a reverse lookup. So (many of) these DNS requests might have been there because you are running Wireshark.

You can disable name resolution in Wireshark under "View -> Name Resolution", there you can deselect "Enable for Network Layer".

Does this lower the amount of DNS requests to a normal level?

If not, have a look at the configuration of your webserver logging. Webserver logging often also has the possibility of logging hostnames instead of IP addreses, so the source might be that too. In which case you need to find out how to dissable name resolving for your webserver.

answered 06 Oct '10, 23:51

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%