My first post to this forum.
I recently switched from using my ISP's own DNS servers to a well-known public DNS service: OpenDNS. It was then that I realized that my computer is making literally thousands of forward DNS lookups every day for the same list of domains. The actual number of DNS lookups varies from day to day - sometimes more, sometimes less - but always adds up to a very large amount numbering in the thousands. By the end of today, my computer will easily surpass 100,000 DNS lookups in total for the same set of domains.
The domains in question are:
From my research I learned that people who play Everquest - a popular MMOG - must connect to patch.everquest.com in order to play.
The remaining domains all belong to LogMeIn, a well-known application used for logging in to a computer remotely. According to LogMeIn technical support, the prefixes before logmein.com (app51, app52, app04-01, app04-02, etc.) indicate that these are servers that LogMeIn uses to balance the load of requests for its services.
I never installed Everquest on my computer. I did install LogMeIn many months ago, but I hardly used it and after a few days I uninstalled it.
Hundreds of times a day, sometimes thousands, my computer is sending DNS lookup requests for each of these domains, in the order shown above. By the end of a day, the total number of requests numbers in the thousands. (I setup OpenDNS to block these requests.)
To the best of my knowledge, my computer is not suffering any ill effects from all this activity. I have no error messages, no pop-ups, no strange behavior, and my computer runs as quickly as it always has. However, over the last few weeks my connection to the internet drops several times a day. I suspect that my ISP (Comcast) is cutting off my connection due to the thousands of rapid fire DNS requests, which it may consider the sign of malware. My ISP certainly has the right and the ability to defend their network in this way, but they claim that they do not do this.
I have scanned my computer with multiple malware scanners - Malwarebytes, Norton Power Eraser, Spybot Search & Destroy; as well as two rootkit scanners - Sophos and GMER. All scans say that I am not infected.
I do have a wireless network at home, but it is extremely unlikely that my network is hacked. I have always used WPA2-PSK authentication with AES encryption. I have an uncrackable (24-character, totally random, high entropy) password. In any case, I changed my network password and it made no difference.
Most recently, I added the domains to my hosts file. Then I checked each one by 'ping'-ing each domain to be sure that 127.0.0.1 was returned. For a couple of days this dramatically slowed the number of DNS requests, but they soon came back and more numerous than ever. Today is not over, and already each domain has been requested more than 5,000 times.
I am out of ideas and I could really use your help.
Edited by Farmisht, 23 August 2011 - 09:58 PM.