This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Mysterious DNS query to sites?

0

I'm not sure whats going on, I was just using wireshark on my home network and I know everyones assigned local IP Address. I just wanted to see what sites everyone on my network was on, so I applied a DNS filter, and notice that My IP(192.168.1.100) was pulling in all this responses from sites I don't even get on. For an example: www.paypal.com, staysafeonline.org www.verizon.com.edgekey.net e2546.g.akamaiedge.net, www.softlayer.com,www.qualys.com, twitter.com, facebook,.... and I can go on, but my point is I wasn't going on these sites and some of them, I never even heard of. This was all going on with one single session. (By the way I know this is my IP for a fact, I login to my Linksys router daily).

Is this normal?

What and why is this happening?

should I worry?

What can I do to fix it?

asked 27 Oct '11, 08:22

dreaddrew's gravatar image

dreaddrew
6114
accept rate: 0%

edited 27 Oct '11, 08:44


2 Answers:

3

Everything looking fine - might be just ads or whatever your favorite Instant Messenger / Social Network / P*** Site is getting to show you somewhere on the page.

No honestly, are you sure you never visit a site ? It can be a reference from any website pulling a picture, an advertisement or whatever off from another domains server - thats why u might see lots of sites you "never visit"

answered 27 Oct '11, 08:33

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

edited 27 Oct '11, 08:35

Even if the source is coming from my IP, and the destinations is these sites? And why is my ip sending these dns out with out my knowledge? (I'm running a Linux OS and the distro is Ubuntu)

(27 Oct '11, 08:40) dreaddrew

The akamai domain is an advertising endpoint --they serve ads on websites that you visit, so your computer will have to lookup that domain when a webpage contains an ad from that network. Likewise, any website with a Like button for Facebook will lookup Facebook (whether or not you use that service).

This behavior is perfectly normal. If you can eliminate all processes accessing the Internet (web browsers, desktop widgets, Wireshark), and still see these lookups, that could be an issue. As it stands, it appears you have nothing to worry about.

(27 Oct '11, 08:49) multipleinte...

I was thinking it was probably an Ad too, but the page I got on had no adds on it, and I never use or went on www.paypal.com or ever seen a ad for it. And this came on only on one session that I stopped after 6 minutes.

(27 Oct '11, 08:51) dreaddrew

Are you certain there were no ads --even ads that were not visible in your browser (this is the behavior of some popular ad-blocking software: the ads are still requested, but thrown away before being rendered on the page)? The request to www.paypal.com could have come from a Donate button or similar provided on a page you requested. As I said above, unless this happens and you are 100% certain that your computer should not be requesting any URLs except for the ones you want (which is practically impossible and cripples your Internet experience), this is perfectly normal behavior.

(27 Oct '11, 12:52) multipleinte...

0

Are you capturing with the capture option "Enable network name resolution" turned on? If so, and your capture is picking up packets from other machines on your local network to those remote machines, then Wireshark will be causing your machine to issue DNS requests for all the IP's that it sees in the capture in an attempt to resolve them to names.

answered 27 Oct '11, 08:40

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 27 Oct '11, 08:41

No, I have that option turned off.

(27 Oct '11, 08:43) dreaddrew