Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Weird DNS queries captured with Wireshark


  • Please log in to reply
10 replies to this topic

#1 user1000000

user1000000

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 31 August 2010 - 03:02 PM

Hi! I've been using Wireshark and reading about it, but I wanted to ask you guys for some help. I've captured a few DNS queries that just don't look right to me. I've googled about this, but it's been difficult because the strange queries don't even have an IP address or name. The lines in Wireshark read something like this:

105 7.702967 192.168.1.2 156.154.70.22 DNS Standard query A idjbqddtkn.lan
106 7.703266 192.168.1.2 156.154.70.22 DNS Standard query A fjakwvjsij.lan
107 7.705037 192.168.1.2 156.154.70.22 DNS Standard query A zsrhyyjarh.lan

and then are immediately followed by three corresponding answers like these:

108 7.830126 156.154.70.22 192.168.1.2 DNS Standard query response, No such name
109 7.830126 156.154.70.22 192.168.1.2 DNS Standard query response, No such name
110 7.830126 156.154.70.22 192.168.1.2 DNS Standard query response, No such name

I'm attaching a JPEG file. I didn't upload the wireshark file because it's just a bit over 512k, so if needed, I can gladly submit it.

The operating system I'm using is Windows XP Professional with SP3, and it's updated until today. What I did to get that capture was simply opening up wireshark, and then opening up my Google Chrome v. 5.0.375.127 browser. After the usual home page, I came to bleepingcomputer.

Thanks a lot in advance for your help! I'll keep googling about this, but until now I haven't found a match to my situation. :thumbsup:

Attached Files



BC AdBot (Login to Remove)

 


#2 Barajiqal

Barajiqal

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 31 August 2010 - 03:47 PM

Do you by chance use comodo firewall??

156.154.70.22 That is listed as comodo prefered dns server? Please correct me if im wrong on this I'm not an avid comodo user :thumbsup:

-bar
"I am Become Death, Destroyer of Worlds" - (Verse 32 Chapter 11 of the Bhagavad Gita) Robert J Oppenheimer

"Any Man Who Has a Habit and Cannot Bear to Share it Should not Have the Habit at All" - Misqoute From Rolland of Gillead in the Stephen King Series The Dark Tower

#3 user1000000

user1000000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 31 August 2010 - 04:05 PM

Barajiqal, thanks for pointing that out! Sorry, I forgot to mention that important detail. Yes, I do use Comodo Firewall and I use the Comodo secure DNS servers 156.154.70.22 and 156.154.71.22

The ip address for the DNS servers is then accounted for. What really bothers me is those weird xxxxxxxxxx.lan names making DNS queries.

Ill be looking forward to your answer!

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:37 AM

Posted 31 August 2010 - 04:10 PM

Dont understand them myself. When they happen, can you see which process is performing the UDP DNS query in tcpview?

#5 user1000000

user1000000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 31 August 2010 - 05:10 PM

Hey Grinler! Nice to talk to you again. Sadly, I haven't been able to. It happened fast. Would the wireshark file help?

#6 user1000000

user1000000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 31 August 2010 - 06:19 PM

Hi Grinler, there has been a new development: the DNS queries haven't happened again, but what I noticed twice already is this: I unpug my internet cable, open wireshark, and once I plug in my internet cable to my PC, the following weird lines showing NBSTAT queries using the NBNS protocol (NetBios, right?) appear in the captures:

113 44.613546 192.168.1.4 192.168.1.255 NBNS Name query NB EYEVNWQMZT<00>
115 44.622716 192.168.1.4 192.168.1.255 NBNS Name query NB BTGQNYGYMC<00>
117 44.626098 192.168.1.4 192.168.1.255 NBNS Name query NB HYLUDZJJSY<00> ...

...and several more like these. I may sound paranoid here, but what worries me is that I read about NetBios and it's one of the most exploited services in Windows to gain access to networks and computers. Do you think this is what is happening here? It makes me wonder why an IP of 192.168.1.255 is making queries? The allowed pool for my home PCs is from 2 to 5 only, having 1 as the router, 255 doesn't make sense to me.

This time I'm uploading both Wireshark captures that show these weird NBNS lines, they were small enough to upload, I included them in one zip file. The second capture not only shows these weird names, but also other NBNS activity involving a lot of double zeroes: NBSTAT <00><00><00> etc...

This time I was watching TCPView and Wireshark simultaneously, but in TCPView nothing unusual happened.

Thanks again for your help, I really appreciate it, considering I've been verbose lately, hahaha, and that last issue was no threat. But anyways, let's hope this one has also a legit explanation.

Attached Files



#7 user1000000

user1000000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 01 September 2010 - 07:14 PM

Found a bit of time to google address 192.168.1.255 and it's a broadcast address. Still, the seemingly random names that appear in the nbstat queries make me wonder. I haven't found a similar case in Google yet. Will keep reading.

#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:37 PM

Posted 05 September 2010 - 01:52 PM

If they are DNS Servers they have no entries in the world of DNS:

cryptodan@cryptodan:/home/hlds/public_html$ nslookup 156.154.70.22
Server:		 71.252.0.12
Address:		71.252.0.12#53

** server can't find 22.70.154.156.in-addr.arpa.: NXDOMAIN

A proper DNS Servers would be reachable and have the following:
cryptodan@cryptodan:/home/hlds/public_html$ nslookup 71.252.0.12
Server:		 71.252.0.12
Address:		71.252.0.12#53

Non-authoritative answer:
12.0.252.71.in-addr.arpa		name = nsrest01.verizon.net.

Authoritative answers can be found from:

cryptodan@cryptodan:/home/hlds/public_html$

So I would advise you stop using the Secure DNS Servers and use your ISP's.

Edited by cryptodan, 05 September 2010 - 01:53 PM.


#9 user1000000

user1000000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 06 September 2010 - 09:45 AM

Hi Cryptodan, thank you very much for taking the time to investigate this and for your reply. Just to be sure I understand what you did: it was a reverse DNS lookup of the ip address, right? I did this in a few websites, the top eight that appear in Google search results, and only two out of eight show an answer (ultradns.org), most of them can't resolve the reverse lookup. Interesting that the secure servers from the vendor I'm using behave that way, will try to get an opinion from them as to why this happens. On the positive side, I've learned one more thing about my network :thumbsup: Thanks again for your help, and have a great week everyone!

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:37 AM

Posted 06 September 2010 - 12:34 PM

Sorry for the delay in getting back to you. When netbios queries a name it will broadcast it to the entire network so every computer sees the request and can respond that they are the there. When you attempt to resolve a name, whith no tdl assigned (ie. .com, .net, .biz, etc), it will first attempt to resolve the host name via a NB query rather than a DNS query. For example you go to your browser and type wibblewobble and nothing else into the browser address and press enter, you will see a nb query for the wibblewobble trying to be resolved.

This could also happen in web sites that are not configured properly. For example http://www.bleepingcomputer.com/nb/index.html is a test page i made to show this. If i add a img src to something like this:

<img src="http://asdasdasdasd">

It will try and load the images when you visit, but since there is no TLD, Windows will use a NB query to try and resolve it.

Now to your random entries. I just looked at your PCAPs and my guess is these random entries are either apps not using fully qualified hostnames for some reason, or web sites containing erroneous links. If you do not need netbios of tcpip, you can disable that by going into your adapter settings, double-clicking on TCP, click advanced, click on wins, and select disable netbios over tcp/ip.

Personally, I do not think there is anything nefarious going on.

#11 user1000000

user1000000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 08 September 2010 - 03:52 PM

Hi Grinler! No worries, I'm just thankful to be able to consult with so many people who are willing to help someone who is willing to learn :thumbsup: !
First of all, thank you for your answers, I learn a lot from them. Second, for taking the time to review the wireshark captures. That gives me peace of mind, and my guess is that other bleepingcomputer users can benefit from the information gathered in my posts. Thank you for your recommendation about NetBios, I have already disabled it as a service and in each of my interfaces, to avoid loose ends. Have a great week! :flowers:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users