unwanted DNS requests

Having a SuSE 9.1 Linux box configured as Samba and Apache Server
behind a Zyxel ADSL router, I have identified some absurd DNS requests
which point towards a configuration problem:
Every minute some process i cannot identify makes this calls:

-----<tcpdump>------
12:24:58.257395 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2,
Response, length: 44
12:24:58.325306 IP localhost.de.1145 > dns03.btx.dtag.de.domain:
56311+ PTR? 255.1.168.192.in-addr.arpa. (44)
12:24:58.391141 IP dns03.btx.dtag.de.domain > localhost.de.1145: 56311
NXDomain 0/1/0 (121)
12:24:58.452128 IP localhost.de.1145 > dns03.btx.dtag.de.domain:
56312+ PTR? 1.1.168.192.in-addr.arpa. (42)
12:24:58.518795 IP dns03.btx.dtag.de.domain > localhost.de.1145: 56312
NXDomain 0/1/0 (119)
12:24:58.582270 IP localhost.de.1145 > dns03.btx.dtag.de.domain:
56313+ PTR? 234.224.20.195.in-addr.arpa. (45)
12:24:58.656604 IP dns03.btx.dtag.de.domain > localhost.de.1145: 56313
1/0/0 (73)
12:24:58.717398 IP localhost.de.1145 > dns03.btx.dtag.de.domain:
56314+ PTR? 129.2.25.194.in-addr.arpa. (43)
12:24:58.783268 IP dns03.btx.dtag.de.domain > localhost.de.1145:
56314* 1/0/0 (74)
12:25:03.256670 arp who-has 192.168.1.1 tell localhost.de
12:25:03.257049 arp reply 192.168.1.1 is-at 00:a0:c5:8f:74:09
12:25:20.151397 IP localhost.de.1145 > dns03.btx.dtag.de.domain:
13598+ A? hzdxzq.de. (27)
12:25:20.212691 IP dns03.btx.dtag.de.domain > localhost.de.1145: 13598
NXDomain 0/1/0 (79)
12:25:20.270917 IP localhost.de.1145 > dns03.btx.dtag.de.domain:
13599+ A? hzdxzq. (24)
12:25:20.331861 IP dns03.btx.dtag.de.domain > localhost.de.1145: 13599
NXDomain 0/1/0 (99)
12:25:21.142500 IP localhost.de.1145 > 192.168.1.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
12:25:21.412449 IP localhost.de.1145 > 192.168.1.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
12:25:21.682362 IP localhost.de.1145 > 192.168.1.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
12:25:28.587523 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2,
Response, length: 44
-----<\tcpdump>-----

192.168.1.1 & 192.168.1.255 is the Zyxel router
192.20.224.234 is the provider assigned ip-adress
what the other ip address and this hzdxzq.de thing is - no idea

Using socklist i cannot identify port 1145.

Can anyone help me?

Regards Benjamin

In the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed) .com>,
(E-Mail Removed) wrote:

>Having a SuSE 9.1 Linux box configured as Samba and Apache Server
>behind a Zyxel ADSL router, I have identified some absurd DNS requests
>which point towards a configuration problem:

Samba - meaning you have some windoze boxes. I'd recommend running at
least a caching name server, that is authoratative for the LAN, and forwards
other requests to a valid name server. Windoze is always bothering a name
server, trying to find more hosts to drop it's pants for.

>Every minute some process i cannot identify makes this calls:

You only show a half minute.

>12:24:58.257395 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2,
>Response, length: 44

Do you need to be running RIPv2 (likely some router daemon)?

>12:24:58.325306 IP localhost.de.1145 > dns03.btx.dtag.de.domain:
>56311+ PTR? 255.1.168.192.in-addr.arpa. (44)

You don't identify localhost.de, or the network mask, but it looks like
some application is assuming the wrong network mask and doesn't recognize
192.168.1.255 as a broadcast.

>12:24:58.391141 IP dns03.btx.dtag.de.domain > localhost.de.1145: 56311
>NXDomain 0/1/0 (121)

Yes - dtag.de can hardly know which of the ten million hosts is using
the RFC1918 address.

>12:24:58.582270 IP localhost.de.1145 > dns03.btx.dtag.de.domain:
>56313+ PTR? 234.224.20.195.in-addr.arpa. (45)
>12:24:58.656604 IP dns03.btx.dtag.de.domain > localhost.de.1145: 56313
>1/0/0 (73)

localhost.de wants to know who 195.20.224.234 is - it's dns.schlund.de, a
widely blocked spam provider. google for 'schlund.de' in news.admin.net-abuse.*
for more details.

>12:24:58.717398 IP localhost.de.1145 > dns03.btx.dtag.de.domain:
>56314+ PTR? 129.2.25.194.in-addr.arpa. (43)
>12:24:58.783268 IP dns03.btx.dtag.de.domain > localhost.de.1145:
>56314* 1/0/0 (74)

Same thing - 194.25.2.129 is dns03.btx.dtag.de, the name server you are
pestering.

>12:25:20.151397 IP localhost.de.1145 > dns03.btx.dtag.de.domain:
>13598+ A? hzdxzq.de. (27)

Someone fumble fingered a file. If localhost.de is running *nix, use
grep to find that string in /etc/* and below. Also check any
configuration files that may be chroot'ed in Samba or Apache.

>12:25:21.142500 IP localhost.de.1145 > 192.168.1.255.netbios-ns: NBT
>UDP PACKET(137): QUERY; REQUEST; BROADCAST

Samba crap needed by windoze.

>192.168.1.1 & 192.168.1.255 is the Zyxel router

192.168.1.1 may be the router, but 192.168.1.255 should be the broadcast
based on the addresses used by RIPv2 and Samba.

>192.20.224.234 is the provider assigned ip-adress

I think that's a typo - but OK

>what the other ip address and this hzdxzq.de thing is - no idea

Who is 'localhost.de'?

>Using socklist i cannot identify port 1145.

It seems consistent, and if localhost.de is the Linux box, try

netstat -tupan
/usr/sbin/fuser -vn udp 1145

to identify the process using 1145.

Old guy

Thank you Old Guy

> Do you need to be running RIPv2 (likely some router daemon)?

I assume RIPv2 is run by the Zyxel 650 ADSL Router.

> You don't identify localhost.de, or the network mask, but it looks like
> some application is assuming the wrong network mask and doesn't recognize
> 192.168.1.255 as a broadcast.

localhost is the Linux Box. I can't figure out why .de is added to the
hostname.

>Someone fumble fingered a file. If localhost.de is running *nix, use
>grep to find that string in /etc/* and below. Also check any
>configuration files that may be chroot'ed in Samba or Apache.

hzdxzq.de is not found. Only hzdxzq, again I don't know why .de is
added.
This computer is turnd off like the other windoze boxes.

grep -r -e hzdxzq *
returns
cups/printers.conf.OeviceURI smb://hzdxzq:******@EUR/hzdxzq/HP3150
which shoud be correct

> It seems consistent, and if localhost.de is the Linux box, try
>
> netstat -tupan
> /usr/sbin/fuser -vn udp 1145

did that, nothing of interest


grep -r 1026 * on /proc reveals:
(After reboot DNS requests now come from port 1026)

-----<"\proc\net\ip_conntrack">-----
udp 17 172 src=192.168.1.2 dst=194.25.2.129 sport=1026 dport=53
src=194.25.2.129 dst=192.168.1.2 sport=53 dport=1026 [ASSURED] use=1
mark=0
tcp 6 21 TIME_WAIT src=192.168.1.2 dst=64.233.167.104 sport=7515
dport=80 src=64.233.167.104 dst=192.168.1.2 sport=80 dport=7515
[ASSURED] use=1 mark=0
tcp 6 21 TIME_WAIT src=192.168.1.2 dst=64.233.167.147 sport=7519
dport=80 src=64.233.167.147 dst=192.168.1.2 sport=80 dport=7519
[ASSURED] use=1 mark=0
udp 17 172 src=192.168.1.2 dst=195.20.224.234 sport=1026 dport=53
src=195.20.224.234 dst=192.168.1.2 sport=53 dport=1026 [ASSURED] use=1
mark=0
udp 17 23 src=192.168.1.2 dst=192.168.1.255 sport=1026 dport=137
[UNREPLIED] src=192.168.1.255 dst=192.168.1.2 sport=137 dport=1026
use=1 mark=0
tcp 6 21 TIME_WAIT src=192.168.1.2 dst=64.233.167.104 sport=7521
dport=80 src=64.233.167.104 dst=192.168.1.2 sport=80 dport=7521
[ASSURED] use=1 mark=0
tcp 6 21 TIME_WAIT src=192.168.1.2 dst=64.233.167.147 sport=7518
dport=80 src=64.233.167.147 dst=192.168.1.2 sport=80 dport=7518
[ASSURED] use=1 mark=0
udp 17 22 src=127.0.0.1 dst=127.255.255.255 sport=1026 dport=137
[UNREPLIED] src=127.255.255.255 dst=127.0.0.1 sport=137 dport=1026
use=1 mark=0
------<\"\proc\net\ip_conntrack">-----

has this something to do with iptables and a misconfigured firewall?

Thanks Benjamin

In the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed) .com>,
(E-Mail Removed) wrote:

>I assume RIPv2 is run by the Zyxel 650 ADSL Router.

Yes, though I don't believe it's really needed. You would _normally_ only
need some routing daemon (routed or gated are common) when there are more
than one route off the local LAN leading to the same place (such as "the
Internet"). If there is only one router, then everything has to go through
it to reach "that place" - there is no other way, so dynamic routing isn't
needed.

>localhost is the Linux Box. I can't figure out why .de is added to the
>hostname.

Ah, then look in /etc/resolv.conf - you have a 'domain' or 'search' term.
Solve the man page for details. 'man 5 resolver'

>> netstat -tupan
>> /usr/sbin/fuser -vn udp 1145
>
>did that, nothing of interest

That is the application that is making the requests.

>grep -r 1026 * on /proc reveals:
>(After reboot DNS requests now come from port 1026)

Yes - that is consistent. Question is, why is this system making the
constant DNS queries. If you are not running a local name server that is
authoritative for 192.168.1.0, I'd suggest making sure that all hosts on
that net are listed in all host files, and that all have fully qualified
names (names with 'dots' like "foo.bar.baz" or "hzdxzq.invalid.de").

Old guy

On Sun, 25 Sep 2005 15:03:48 -0500, Moe Trin wrote:

> If you are not running a local name server that is authoritative for
> 192.168.1.0, I'd suggest making sure that all hosts on that net are
> listed in all host files, and that all have fully qualified names (names
> with 'dots' like "foo.bar.baz" or "hzdxzq.invalid.de").

*Ahem*
invalid.de has address 192.67.198.51
invalid.de mail is handled by 10 mailin.webmailer.de.

Thanks Old Guy,

added all that in /etc/hosts, works fine now.

Benjamin