This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Constant Repetitive DNS Queries

0

My computer is running Windows 7 pro. When I perform a live capture on my network interface, I see constant DNS queries asking for the mail server at www.yahoo.com. After restarting the machine, logging in, and immediately starting Wireshark, I still see these queries - probably once every 2 or 3 seconds. Has anyone seen anything like this before?

Note: I am trying to reply to your comments, but Akismet thinks all of my comments are spam. What am I doing wrong?

I am only seeing local network protocols and the DNS queries, but I have not done a capture for an extended period.

I mean MX queries for www.yahoo.com.

asked 17 Jun '13, 05:20

SR584's gravatar image

SR584
11113
accept rate: 0%

edited 17 Jun '13, 06:55

Do you have any other traffic besides these DNS Queries? Outbound SMTP connections for example?

(17 Jun '13, 06:16) pfuender

DNS queries asking for the mail server at www.yahoo.com

What do you mean by that? A records for www.yahoo.com or MX records for yahoo.com (or www.yahoo.com)??

(17 Jun '13, 06:22) Kurt Knochner ♦

One Answer:

0

I mean MX queries for www.yahoo.com.

as far as I can see, there are no MX records for www.yahoo.com. So, if you see those requests in your capture file, there is some software on your system that is either misconfigured or that is trying to do something it shouldn't.

Regards
Kurt

answered 17 Jun '13, 07:00

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks Kurt, for your answer. I would still like to know which program is producing these DNS queries, but I have been unable to do so at this point. I suppose no harm is being done.

Sean

(19 Jun '13, 09:27) SR584
1

I would still like to know which program is producing these DNS queries

hard to figure out, as the program will just call the DNS resolver API on your Windows system and then all DNS request are generated by the resolver of the system, so in a capture file, you will never be able to figure out what program triggers those DNS queries. You will need a Windows system API monitor tool to monitor calls to the DNS resolver API. Please google that.

(22 Jun '13, 02:30) Kurt Knochner ♦

I believe NetMon can tell you what process belongs to what packets (or vice versa)

(22 Jun '13, 16:36) hansangb

I guess you mean Microsoft Network Monitor and its capability to show the process name that owns a connection.

However, as I said, the DNS request will not be issued by any user process (browser, etc.) but by the system DNS resolver library. And thus NetMon is also unable to show which process triggered the DNS query. I just tested it, and NetMon shows <unknown> as process name for DNS queries. So, if you want to know who triggered certain DNS queriey, you need either a way of debugging the system DNS resolver library or a system API call tracer.

(24 Jun '13, 04:11) Kurt Knochner ♦