This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

DNS leak: Looking up own hostname with DNS queries

0
1

I was checking a proxied program for DNS leaks with tshark when I noticed this:

13.170066    10.0.2.15 -> 192.168.1.1  DNS 66 Standard query 0xd473  A [hostname]
13.753496    10.0.2.15 -> 192.168.1.1  DNS 66 Standard query 0x7bb4  A [hostname]

where [hostname] is the hostname of the machine the program and tshark are running on, 10.0.2.15 is the local machine, and 192.168.1.1 is the router.

Why does the computer look up its own hostname and how can I prevent this from leaking information about the computer?

Note that changing the hostname once is not useful since an (untrusted) proxy knows that it is the same computer connecting every time since the computer sends the same hostname.

asked 09 Feb '13, 10:13

Navin's gravatar image

Navin
11124
accept rate: 0%

edited 09 Feb '13, 10:14


One Answer:

1

Hard to say; you'd probably have to find out what program/service does this.

One explanation could be that you've turned on the network name resolution feature in the profile you're using, which will lead to tshark/Wireshark contacting the DNS server to find out FQDNs of IP addresses. Did you check if you can also see PTR record queries? Wireshark seems to do a A record query after a successfull PTR answer was received to verify if the information works both ways.

Depending on your OS you could try to find the program using a socket to connect to the DNS server, maybe using a tool like process monitor from Sysinternals. I tried it just now, and if you only let it show network activity and have Wireshark/tshark running at the same you can match port numbers to find the process that triggered the query. netstat might work too, but I doubt that the UDP port will be listed there long enough to get a good reading.

answered 09 Feb '13, 11:53

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%