cancel
Showing results for 
Search instead for 
Did you mean: 

How to find proigram performing dns lookups?

7up
Community Veteran
Posts: 15,837
Thanks: 1,591
Fixes: 17
Registered: ‎01-08-2007

How to find proigram performing dns lookups?

I have a windows VPS - windows server 2012.

Being a bit of a nerd, i installed my experimental dns server on it. It's run on my PC flawlessly for years with minimal fuss as a windows service.

On the VPS, I leave it running as a GUI in the admins remote desktop session. The VPS is setup in windows networking to use my dns server and the dns server configured to googles dns servers.

Each day when i log into the VPS by remote desktop, I look at the dns server and see that there are multiple lookups for mail.ru - a russian email service.

I have minimal software installed on the server - uniformserver (a wamp setup) filezilla ftp server, my dns server, Mercury 32 email server and that's about it.

How do i find the program that is making these outbound requests? - Like many, i don't feel comfortable with some random program on my VPS trying to phone home to a russian email service. For the time being i've created a zone on the dns server and set the A record to 127.0.0.1 so it's blocked but i still want the process gone!

I need a new signature... i'm bored of the old one!
3 REPLIES 3
Anonymous
Not applicable

Re: How to find proigram performing dns lookups?

Is your DNS only providing lookups for the services within your VPS, or are you using it as the local DNS for other devices in your home ?

 

I ask because I also have a DNS setup where I can check which domains have been looked up, and can see those that have been blocked by various filtering rules, or have been stopped by my 'blacklist'.  I see a flurry of dangerous looking requests to Russian, Chinese, and other suspicious addresses when my daughter uses her Android phone or Chromebook to watch K-pop music videos, or browsing Korean fashion clothing websites - which are FULL of intrusive adverts.  When she uses an ad-blocker in her browser, the dodgy DNS lookups disappear, so it looks to me like the display of the animated adverts is the source of the potentially dangerous DNS requests.

.

bobpullen
Community Gaffer
Community Gaffer
Posts: 16,916
Thanks: 5,021
Fixes: 316
Registered: ‎04-04-2007

Re: How to find proigram performing dns lookups?

Does the DNS server have any logging? That's the first place I'd look. Failing that, you could always use Wireshark.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Anonymous
Not applicable

Re: How to find proigram performing dns lookups?

I was just checking my DNS and firewall logs and discovered an attacker with a sense of humour !

Screenshot 2023-08-19 at 15-05-39 - Status System Logs Firewall Normal View.png

"security.criminalip.com"   🤣

.