How to find proigram performing dns lookups?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Other forums
- :
- Tech Help - Software/Hardware etc
- :
- Re: How to find proigram performing dns lookups?
How to find proigram performing dns lookups?
18-08-2023 11:57 AM - edited 18-08-2023 12:01 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I have a windows VPS - windows server 2012.
Being a bit of a nerd, i installed my experimental dns server on it. It's run on my PC flawlessly for years with minimal fuss as a windows service.
On the VPS, I leave it running as a GUI in the admins remote desktop session. The VPS is setup in windows networking to use my dns server and the dns server configured to googles dns servers.
Each day when i log into the VPS by remote desktop, I look at the dns server and see that there are multiple lookups for mail.ru - a russian email service.
I have minimal software installed on the server - uniformserver (a wamp setup) filezilla ftp server, my dns server, Mercury 32 email server and that's about it.
How do i find the program that is making these outbound requests? - Like many, i don't feel comfortable with some random program on my VPS trying to phone home to a russian email service. For the time being i've created a zone on the dns server and set the A record to 127.0.0.1 so it's blocked but i still want the process gone!
Re: How to find proigram performing dns lookups?
19-08-2023 9:45 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Is your DNS only providing lookups for the services within your VPS, or are you using it as the local DNS for other devices in your home ?
I ask because I also have a DNS setup where I can check which domains have been looked up, and can see those that have been blocked by various filtering rules, or have been stopped by my 'blacklist'. I see a flurry of dangerous looking requests to Russian, Chinese, and other suspicious addresses when my daughter uses her Android phone or Chromebook to watch K-pop music videos, or browsing Korean fashion clothing websites - which are FULL of intrusive adverts. When she uses an ad-blocker in her browser, the dodgy DNS lookups disappear, so it looks to me like the display of the animated adverts is the source of the potentially dangerous DNS requests.
.
Re: How to find proigram performing dns lookups?
19-08-2023 9:50 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Does the DNS server have any logging? That's the first place I'd look. Failing that, you could always use Wireshark.
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: How to find proigram performing dns lookups?
19-08-2023 3:10 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I was just checking my DNS and firewall logs and discovered an attacker with a sense of humour !
"security.criminalip.com" 🤣
.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Other forums
- :
- Tech Help - Software/Hardware etc
- :
- Re: How to find proigram performing dns lookups?