topic Re: How to find proigram performing dns lookups? in Tech Help - Software/Hardware etc

How to find proigram performing dns lookups?

7up — Fri, 18 Aug 2023 11:01:30 GMT

I have a windows VPS - windows server 2012.

Being a bit of a nerd, i installed my experimental dns server on it. It's run on my PC flawlessly for years with minimal fuss as a windows service.

On the VPS, I leave it running as a GUI in the admins remote desktop session. The VPS is setup in windows networking to use my dns server and the dns server configured to googles dns servers.

Each day when i log into the VPS by remote desktop, I look at the dns server and see that there are multiple lookups for mail.ru - a russian email service.

I have minimal software installed on the server - uniformserver (a wamp setup) filezilla ftp server, my dns server, Mercury 32 email server and that's about it.

How do i find the program that is making these outbound requests? - Like many, i don't feel comfortable with some random program on my VPS trying to phone home to a russian email service. For the time being i've created a zone on the dns server and set the A record to 127.0.0.1 so it's blocked but i still want the process gone!

Re: How to find proigram performing dns lookups?

Anonymous — Sat, 19 Aug 2023 08:45:30 GMT

Is your DNS only providing lookups for the services within your VPS, or are you using it as the local DNS for other devices in your home ?

I ask because I also have a DNS setup where I can check which domains have been looked up, and can see those that have been blocked by various filtering rules, or have been stopped by my 'blacklist'. I see a flurry of dangerous looking requests to Russian, Chinese, and other suspicious addresses when my daughter uses her Android phone or Chromebook to watch K-pop music videos, or browsing Korean fashion clothing websites - which are FULL of intrusive adverts. When she uses an ad-blocker in her browser, the dodgy DNS lookups disappear, so it looks to me like the display of the animated adverts is the source of the potentially dangerous DNS requests.

Re: How to find proigram performing dns lookups?

bobpullen — Sat, 19 Aug 2023 08:50:07 GMT

Does the DNS server have any logging? That's the first place I'd look. Failing that, you could always use Wireshark.

Re: How to find proigram performing dns lookups?

Anonymous — Sat, 19 Aug 2023 14:10:46 GMT

I was just checking my DNS and firewall logs and discovered an attacker with a sense of humour !

"security.criminalip.com" 🤣