This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have Wireshark running on Windows 7 x64. I created a Hosts file that maps specific domains to 127.0.0.1. I then 'ping'-ed each domain to make sure it returned 127.0.0.1. Nevertheless, Wireshark is capturing DNS requests and responses from my ISP's DNS server for these domains. How is that possible?

asked 21 Aug '11, 21:24

Farmisht's gravatar image

Farmisht
1112
accept rate: 0%

edited 21 Aug '11, 21:53


Do you see forward or reverse DNS lookups to your ISP's DNS server? Wireshark itself will do reverse DNS lookups unless you explicitly tell it not to by disabling name resolution.

You can disable name resolution in Wireshark by going to "View -> Name Resolution" and then uncheck "Enable for Network layer".

permanent link

answered 21 Aug '11, 22:36

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

In particular, Wireshark, if built with adns or c-ares, will itself do reverse DNS lookups without going through the operating system's own host name/host address lookup code, so it might not pay attention to your hosts file.

(21 Aug '11, 22:50) Guy Harris ♦♦

Thanks for your help. Wireshark is recording Type A (Host Address) queries, which I believe are forward lookups.

Something suspicious is going on. It's always the same hostnames being queried, and they are queried in a specific order. Each hostname used to be queried thousands of times every day, until I added these domains to my hosts file. Now there are drastically fewer queries, but there should be none at all. Every malware scanner I've tried says I'm clean, but I'm not convinced of that.

(22 Aug '11, 20:35) Farmisht

The type A lookups that you still see, are they for fully qualified domain names that are also present in the hosts file? Is there a relation between the type A lookups and the domain search list that you have configured in your DNS settings?

(22 Aug '11, 22:15) SYN-bit ♦♦

I am seeing requests for FQDNs that are also in the hosts file, and these domains are being queried in numerical order every time. I truly appreciate your help, however, despite what the malware scanners say, I strongly suspect that I am bot-ted. There were over 153,000 DNS lookups yesterday alone, and I am losing my internet connection frequently (which I believe is my ISP's response to all this.). I have asked for help from the good folks at Bleeping Computer, and may have to format if I can't stay on the internet long enough to benefit from their advice.

EDIT: My ISP has assured me that they would not interfere with my internet connection without contacting me. I still believe my computer is compromised. I was able to use my router to block outbound access to the domains in question, and that apparently is working.

permanent link

answered 24 Aug '11, 08:31

Farmisht's gravatar image

Farmisht
1112
accept rate: 0%

edited 24 Aug '11, 19:05

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×109
×22

question asked: 21 Aug '11, 21:24

question was seen: 3,775 times

last updated: 24 Aug '11, 19:05

p​o​w​e​r​e​d by O​S​Q​A