Hello Tux, thanks for your reply.
"s@po" <[email protected]> schrieb am 12.10.2019 20:10: > > Why would my machine send these requests? > > first of all, your machine seems to be the dns server, or you have > static ips assigned? Yes, unbound DNS resolver is running on this machine. No static IPs. > # cat /etc/{hosts,resolv.conf,nsswitch.conf,network/interfaces} I have a huge /etc/hosts file for blocking purposes. There are a handful lines for IPs to the LAN like this which are not in use, i.e. I have no LAN, only a laptop rarely connected to this machine: $ head /etc/hosts 127.0.0.1 localhost 127.0.1.1 rubians 192.168.19.1 rubians 192.168.19.2 rubiana 192.168.19.3 rubiano $ cat /etc/resolv.conf nameserver 127.0.0.1 # this is for unbound on localhost nameserver 83.169.184.33 # ISP's name server nameserver 83.169.184.97 # ISP's name server $ ifconfig -a lan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 192.168.19.1 netmask 255.255.255.0 broadcast 192.168.19.255 ether 00:21:85:02:91:b8 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 net0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 91.65.138.120 netmask 255.255.255.0 broadcast 91.65.138.255 inet6 fe80::20e:2eff:fe09:19d2 prefixlen 64 scopeid 0x20<link> ether 00:0e:2e:09:19:d2 txqueuelen 1000 (Ethernet) RX packets 544261 bytes 36150630 (34.4 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 9509 bytes 923017 (901.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > Then, find the processes that are running with open sockets.. > Check which ones are running, and verify why.. > # lsof -nP -i4tcp@{91.65.141.104,91.65.139.36,91.65.138.152} $ sudo tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on net0, link-type EN10MB (Ethernet), capture size 262144 bytes 09:25:00.272473 ARP, Request who-has ip5b418c91.dynamic.kabel-deutschland.de tell ip5b418cfe.dynamic.kabel-deutschland.de, length 46 $ nslookup ip5b418c91.dynamic.kabel-deutschland.de Address: 91.65.140.145 $ lsof -nP [email protected] $ echo $? 1 Well, I can't seem to catch one - maybe I am too slow because the connections are to short-lived?! $ lsof -nP -i4tcp COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME unbound 2924 unbound 6u IPv4 15462 0t0 TCP 127.0.0.1:53 (LISTEN) unbound 2924 unbound 10u IPv4 15466 0t0 TCP 127.0.0.1:53 (LISTEN) unbound 2924 unbound 12u IPv4 15468 0t0 TCP 127.0.0.1:8953 (LISTEN) tdeio_ima 3906 stekru 8u IPv4 19808 0t0 TCP 91.65.138.120:60214->130.133.4.100:143 (ESTABLISHED) dictd 4888 dictd 37u IPv4 45627 0t0 TCP 127.0.0.1:2628 (LISTEN) > If that is a desktop machine, you should have a dns server somewere > in the network.. It could be that you have no arp cache, and it his > requesting everytime.. AIUI I have a ARP cache with one entry for the standard gateway of my ISP. See my original post. Is this normal or should there be more entries? > Having dynamic dns services also doesn't help > much to your security, since they are one of the major risks braking > into computers.. And you seems to have configured some dynamic dns > services.. Are you saying running a local DNS resolver daemon like unbound is a security risk? And that the seemingly increased ARP traffic could be a symptom of this machine being hacked? Kind regards, Stefan _______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
