Topic: Constant DNS lookups to parysecund.com

[morpion]

Hi all,
I am using SME7.4 with all the standard updates on it and I normally have no problems with it.
I have recently noticed on my outbound router logs that I am getting almost constant messages as follows:

150May 19 08:53:34VigorLocal User: 192.168.70.138 DNS -> 208.76.61.100 inquire parysecund.com
150May 19 08:53:34VigorLocal User: 192.168.70.138 DNS -> 208.76.63.100 inquire parysecund.com

Where 192168.70.138 is our SME server. It seems to be constantly trying to lookup parysecund.com on DNS. I cannot find anything out about this domain nor can I work out what is asking for the address.

Has anyone come across this and is there anything I can do to stop it? It suggests to me that something is constantly asking for the domain name parysecund.com but is there a  way I can find out what is asking for it?
Help from experienced guys would be appreciated!

Regards

Mike

[cactus]

Has anyone come across this and is there anything I can do to stop it? It suggests to me that something is constantly asking for the domain name parysecund.com but is there a  way I can find out what is asking for it?
Help from experienced guys would be appreciated!

My guess it might be a host in the domain that is configured to use your server as DNS server. Perhaps you can use iptraf to find out what host is performing the lookups. DNS queries are usually performed on port 53, so if it querying that much it might show up in the list when you run iptraf like this (I guess you are using eth0 as local interface, if that is not the case replace it with the proper interface or all for all interfaces):

Code: [Select]

iptraf -i eth0
Sort by packets (P) and look for port 53 and try and see if there is one host that sends an excessive amount of packets on that port.

[morpion]

Thanks for your suggestion, Cactus, I'll give it a try
Mike

[morpion]

Well I've carried out the IPTraf report and it showed me loads of outbound requests on port 53 from my SME server (as expected). Unfortunately there is no matching high number of requests from any of our workstations.

This suggests to me that the requests are being generated by the server itself. The fact that the lookups are failing and are to one address parysecund.com suggests that maybe the system is just continually asking for the same address lookup as it hasn't had an answer. I don't know if that's how it works but, if it is the case, is there any way I can clear the dodgy domain name from it's cache and thereby stop it looking it up?

Regards
Mike

[cactus]

This suggests to me that the requests are being generated by the server itself. The fact that the lookups are failing and are to one address parysecund.com suggests that maybe the system is just continually asking for the same address lookup as it hasn't had an answer. I don't know if that's how it works but, if it is the case, is there any way I can clear the dodgy domain name from it's cache and thereby stop it looking it up?

Do you have anti spam measurements in place that might to try and lookup a domain before accepting mail from it? Perhaps you are being hammered by e-mails faking the mentioned domain?

[morpion]

Thanks for the suggestions, Cactus.

I've tried truning off spam checking of emails in the SME server manager. I've also tried turning off the bouncing of unknown users emails in case that was holding up the queue. Unfortunately the server continues to send out thousands of inquires on port 53.
Is there a way of viewing teh actual emails waiting to be processed so that I can see if there is one holding things up?
Mike

[morpion]

I have just installed qmHandle which lets me view and delete emails from the message queue. This tells me that there are only a couple of emails waiting and they shouldn't be causing these lookups.

Mike

[morpion]

I have now tried a reconfigure and reboot of the server to see if that cleared any caches. The port 53 inquires for parysecund.com stopped during the reboot and then kicked off again as soon as it restarted!

Any suggestions would be appreciated and who is parysecund.com?


Mike

[cactus]

Any suggestions would be appreciated and who is parysecund.com?

I don't know, DNS lookups here on our servers do not give a result. You are sure this is not something you might have configured on your server, perhaps a new domain with a typo?

[Stefano]

morpion, are you sure  your clients are ok?

is your server in server & gw mode? if yes, start iptraf and/or tcpdump.. I suspect there's something wrong with your clients

[morpion]

Thanks for the reply, Stefano.
My server is setup in server only mode as the gateway is our ADSL router. Clients use the server as a DNS location and our router as the gateway.

Regards
Mike

[versa]

Like Stefano said you might want to check you clients.
It would look parysecund.com is a russian site and is using a service like DynDns for its DNS managent
http://www.dnsstuff.com/tools/whois/?tool_id=66&token=&toolhandler_redirect=0&ip=parysecund.com

[Stefano]

well, then check dns query from your clients to SME..
if you can, try shutting down / disconnecting from the lan one client at time..

[morpion]

Thanks Stefano,

I will try that out.
Regards

Mike

[morpion]

Thanks chaps. I've tried disconnecting each client but still no joy. I will try later (when the users have gone home!) to disconnect all clients and just route the server directly to the internet. Then I can add clients one by one to see what happens.
Thank you for your help and suggestions so far.

Mike