0

Summary:

I see dozens of requests to non-existing domains and I suspect it slows down my network. Can't find the source.

Full description:

I use pihole as a DNS server, and both Wireshark and Little Snitch to analyze the outgoing requests.

My motivation to do that is that my computer's connection is very slow in comparison to other devices on the same network.

On pihole logs I identified numerous (several per minute) requests to non-existing domains such as cwtwzxm.home, oqcuhponmpihyp.home, uceqeycvfo.home etc. The pattern is quite clear...

I suspect these requests to be one of the reasons why my network is so slow, so I try to understand which application is sending these DNS requests and why.

Someone suggested these would come from Chromium browser that polls for captive portals, but I overruled this assumption after killing all embedded Chromium processes (present in Adobe CC and Dropbox).

Little Snitch couldn't find any request, which is strange since it means these requests are not coming from any running application (I know - it's not logical).

Wireshark, on the other hand, did find the DNS requests but I don't know how to decrypt it.

  1. How to interpret Wireshark's output?
  2. How can I find the application/software/program which initiates these requests?

Sample pihole.log:

Oct 12 15:06:01 dnsmasq[11469]: forwarded dbetguay.home to 127.0.0.1
Oct 12 15:06:01 dnsmasq[11469]: reply rsnjznzzo.home is NXDOMAIN
Oct 12 15:06:01 dnsmasq[11469]: reply dbetguay.home is NXDOMAIN
--
Oct 12 15:06:03 dnsmasq[11469]: query[A] rsnjznzzo.home from 192.168.1.10
Oct 12 15:06:03 dnsmasq[11469]: cached rsnjznzzo.home is NXDOMAIN
Oct 12 15:06:03 dnsmasq[11469]: reply uceqeycvfo.home is NXDOMAIN
Oct 12 15:06:03 dnsmasq[11469]: query[A] dbetguay.home from 192.168.1.10
Oct 12 15:06:03 dnsmasq[11469]: cached dbetguay.home is NXDOMAIN
Oct 12 15:06:04 dnsmasq[11469]: query[A] uceqeycvfo.home from 192.168.1.10
Oct 12 15:06:04 dnsmasq[11469]: cached uceqeycvfo.home is NXDOMAIN
Oct 12 15:06:04 dnsmasq[11469]: query[A] rsnjznzzo.home from 192.168.1.10
Oct 12 15:06:04 dnsmasq[11469]: cached rsnjznzzo.home is NXDOMAIN
Oct 12 15:06:04 dnsmasq[11469]: query[A] dbetguay.home from 192.168.1.10
Oct 12 15:06:04 dnsmasq[11469]: cached dbetguay.home is NXDOMAIN
Oct 12 15:06:06 dnsmasq[11469]: query[A] uceqeycvfo.home from 192.168.1.10
Oct 12 15:06:06 dnsmasq[11469]: cached uceqeycvfo.home is NXDOMAIN
Oct 12 15:06:06 dnsmasq[11469]: query[A] rsnjznzzo.home from 192.168.1.10
Oct 12 15:06:06 dnsmasq[11469]: cached rsnjznzzo.home is NXDOMAIN
Oct 12 15:06:06 dnsmasq[11469]: query[A] dbetguay.home from 192.168.1.10
Oct 12 15:06:06 dnsmasq[11469]: cached dbetguay.home is NXDOMAIN
Oct 12 15:06:08 dnsmasq[11469]: query[A] dbetguay.home from 192.168.1.10
Oct 12 15:06:08 dnsmasq[11469]: cached dbetguay.home is NXDOMAIN
Oct 12 15:06:09 dnsmasq[11469]: query[A] dbetguay.home from 192.168.1.10
Oct 12 15:06:09 dnsmasq[11469]: cached dbetguay.home is NXDOMAIN
Oct 12 15:06:11 dnsmasq[11469]: query[A] uceqeycvfo.home from 192.168.1.10
Oct 12 15:06:11 dnsmasq[11469]: cached uceqeycvfo.home is NXDOMAIN
Oct 12 15:06:11 dnsmasq[11469]: query[A] rsnjznzzo.home from 192.168.1.10
Oct 12 15:06:11 dnsmasq[11469]: cached rsnjznzzo.home is NXDOMAIN
Oct 12 15:06:11 dnsmasq[11469]: query[A] dbetguay.home from 192.168.1.10
Oct 12 15:06:11 dnsmasq[11469]: cached dbetguay.home is NXDOMAIN
zstolar
  • 141

1 Answers1

1

The NXDOMAIN response means that the addressed domain was not found in the DNS system. This is not surprising, seeing that these domain names are random nonsense.

The requests seem to originate from the device with the IP address of 192.168.1.10. It is up to you to locate this device by its IP address. The router should be able to report which is the attached device that has this address.

Persistent NXDOMAIN responses from your local DNS service that originate all from a single client could be an indicator for infection. PTR queries can reverse engineer networks and mine for interesting hostnames.

My guess would be that the above device is infected by a particularly clumsy virus, trying to phone home to its controlling website, or trying to gather information about your local network.

For dealing with a possible infection, see the post
How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?

harrymc
  • 498,455