Here is a short pcap With some DNS packets captured from a PC. The host sent two DNS requests, one to 8.8.8.8 and the other one to 8.8.4.4. Its request to 8.8.8.8 didn't get a response but it didn't retransmit wonder if this is normal behavior or is it some sort of indication of malware present in the PC. asked 02 Sep '15, 19:59  pktUser1001 |
One Answer:
I think it is normal, or at least depending on the stack. It asks the secondary DNS as a fallback, and when that didn't work the queries are repeated. There is no reason at all to assume malware being present. answered 02 Sep '15, 23:39  Jasper ♦♦ |
When neither the primary or secondary DNS server responded, I thought it should retry on primary DNS server, but this pcap showed it actually retried on secondary DNS server. A little weird, but I agree, it's unlikely malware will go down to the business of actually generating DNS request packets.