>40Hz DNS query xxx.1.168.192.in-addr.arpa, unknown cause

networkingtroubleshooting

On one of my FC10 boxes I noticed that the network activity lights keep flashing even when I'm doing nothing on it so I pulled out wireshark and took a look at whats causing it. It's logging the same query xxx.1.168.192 where xxx is another machine (winXP) on my network thats currently not turned on. Wireshark provides additional info of "type PTR, class IN" under the 'Queries' tab. The response packet is 'No such name' and Under the 'Authoratative nameservers' it says "168.192.in-addr.arpa: type SOA, class IN, mname prisoner.iana.org"

It occurs for a few minutes every few minutes.

I'm not (much of) a sysadmin but I do some simple tasks to look after the network so some pointers on a) How to find out whats causing this and b) How do I fix this would be great.

Details:

Source 192.168.1.fc10 dest 192.168.1.1 (dsl gateway) 'PTR xxx.1.168.192.in-addr.arpa'
Source 192.168.1.1 dest 192.168.1.fc10 'No such name'
[repeat at >40Hz]

Edit 2:

Another question: in the meanwhile while someone tries to point me in the right direction, is there anyway to firewall off this particular request without messing with other dns requests?

Edit 3:

Tried tcpdump -i any -X nnv ip host 192.168.1.winxp produced:
0 packets captured
0 packets received by filter
0 packets dropped by kernel

Tried editing hosts file with '192.168.1.xxx winxp' (Eddy put the hostname first but I thought the IP goes first? Am I missing something?) but that doesnt do anything still getting the PTR queries.

Best Answer

Found the culprit. Since it appeared periodic I checked crontab on a hunch and found that I had sarg (squid report generator) running every x minutes. From everyones suggestion about DNS lookups etc. I checked the details in the config and found it was configured to resolve IP addresses (mistake) so for every request logged from the winXP box it tried to resolve it, and it appeared to do this for every request in the log hence the flood.

fix: turn off resolve ip address.

thanks everyone for the ideas that got me looking in the right direction. posting the answer in the event it might help someone else.

Related Solutions

HP access points sending out multicast packets from IPs that aren’t their own

First and foremost, those are not NBNS packets, they're actually Universal Plug-n-Play packets attempting to search for "Internet Gateway Device" enabled devices. UPNP-IGD uses IPv4 multicast to locate such edge devices. The protocol, such as it is, says there should be only one. The give-away is in the packet payload:

M-SEARCH * HTTP/1.1
Host:239.255.255.250:1900
ST:urn:schemas-upnp-org:device:InternetGatewayDevice:1
Man:"ssdp:discover"
MX:3

.xmlsoap.org/ws/2004/08/addressing" xmlns:

IGD is used by some applications to tell consumer NAT gateways how to handle NAT traversal for certain protocols. IM applications and the like. You can make Wireshark show things better by telling it to decode UDP/137 as HTTP for that capture.

Now, why this is causing a multicast storm is the big question. You're getting the same kind of packet well before the storm hits, but they're correctly being sent to 239.255.255.250:1900. Packet 23955, in fact, comes from the same device that starts the storm in 23968. However, packet 23968 shows the same destination MAC address (one indicating IPv4 Multicast) but has a destination IP address that is in your /16 block and should NOT be multicast.

Packet 23604 is also very malformed. It has a valid Ethernet header, but the IP header is strangely truncated and ends in the same UPNP-IGD string I quoted above. The device that issued this strange, strange packet is the same device (well, comes from the same MAC address anyway) as packet 23968 that kicked off the multicast storm.

My best bet at this point is that the device at 00:1F:3B:D2:5E:6D is hosed in some way or is uniquely not handling these UPNP search requests correctly. Packet 24717 shows another M-SEARCH request going to 239.255.255.250:3702 that also comes from the same device. Right IP address, wrong port (should be 1900).

My guess is that the multicast storm is being kicked off by a packet with a Unicast IP address arriving with a multicast MAC address, and your network devices not handling that invalid case correctly. This is suggestive in the fact that the packets after the initial one all claim to source from the same IP (143.226.8.185), but the MAC address are all different. You have a bad device that managed to find a bug in multicast/unicast handling of your net-devices.

Cisco 837 not passing UDP traffic properly (was: DNS query problem)

Is it just udp or is tcp also affected?
Are there any IPv4/IPv6 issues (sometimes routers get confused, thou I've seen that only for really cheap ones)

A way to test that would be (using Google DNS servers):

$ dig @8.8.8.8 example.com +noall +answer +notcp +ignore # udp only
example.com.        50270   IN  A   192.0.43.10
;; Received 45 bytes from 8.8.8.8#53(8.8.8.8) in 29 ms

$ dig -4 example.com +noall +answer +notcp +ignore # udp only/ipv4 only
example.com.        50270   IN  A   192.0.43.10

$ dig -6 example.com +noall +answer +notcp +ignore # udp only/ipv6 only
example.com.        50270   IN  A   192.0.43.10
;; Received 45 bytes from 8.8.8.8#53(8.8.8.8) in 29 ms

$ dig @8.8.8.8 example.com +noall +answer +tcp # tcp only
example.com.        50256   IN  A   192.0.43.10
;; Received 45 bytes from 8.8.8.8#53(8.8.8.8) in 30 ms

$ dig -4 example.com +noall +answer +tcp # tcp only/ipv4 only
example.com.        50256   IN  A   192.0.43.10
;; Received 45 bytes from 8.8.8.8#53(8.8.8.8) in 30 ms

$ dig -6 example.com +noall +answer +tcp # tcp only/ipv6 only
example.com.        50256   IN  A   192.0.43.10
;; Received 45 bytes from 8.8.8.8#53(8.8.8.8) in 30 ms

Also:

Do you have a tcpdump
Maybe get some cheap VPS/EC2/Rackspace Instance and open port 53 (netcat is your friend). Test with telnet that you can connect -- just to be sure that your pakets are indeed going beyond your firewall.

Best Answer

Related Solutions

HP access points sending out multicast packets from IPs that aren’t their own

Cisco 837 not passing UDP traffic properly (was: DNS query problem)

Related Topic