Weird DNS queries on localhost
-
We are switching from using dnsmasq on pfsense back to separate bind dns servers.
I conifgured pfsense to use external DNS Servers and i also set the following option in general setup (and rebootet afterwards):
"Do not use the DNS Forwarder or Resolver as a DNS server for the firewall"
- By default localhost (127.0.0.1) will be used as the first DNS server where the DNS Forwarder or DNS Resolver is enabled and set to listen on Localhost, so system can use the local DNS service to perform lookups. Checking this box omits localhost from the list of DNS servers.
Still, i see sporadic dns queries from localhost in dnsmasq log - but i don`t get a clue which pfsense component is making those and why.
I`d like to know who is making these queries before disable dnsmasq
any clues?
it`s all reverse lookups like these:
Jun 27 19:07:34 fwkn01 dnsmasq[43263]: query[PTR] 66.159.193.116.in-addr.arpa from 127.0.0.1
Jun 27 19:12:23 fwkn01 dnsmasq[43263]: query[PTR] 243.202.6.71.in-addr.arpa from 127.0.0.1
Jun 27 22:36:31 fwkn01 dnsmasq[43263]: query[PTR] 106.9.55.45.in-addr.arpa from 127.0.0.1
Jun 27 23:32:52 fwkn01 dnsmasq[43263]: query[PTR] 2.111.33.200.in-addr.arpa from 127.0.0.1
Jun 28 00:18:20 fwkn01 dnsmasq[43263]: query[PTR] 131.110.199.198.in-addr.arpa from 127.0.0.1
Jun 28 00:21:29 fwkn01 dnsmasq[43263]: query[PTR] 8.117.19.139.in-addr.arpa from 127.0.0.1
Jun 28 01:46:30 fwkn01 dnsmasq[43263]: query[PTR] 48.178.139.211.in-addr.arpa from 127.0.0.1
Jun 28 01:46:30 fwkn01 dnsmasq[43263]: query[PTR] 40.165.196.120.in-addr.arpa from 127.0.0.1
Jun 28 01:46:31 fwkn01 dnsmasq[43263]: query[PTR] 12.192.136.211.in-addr.arpa from 127.0.0.1
Jun 28 03:23:41 fwkn01 dnsmasq[43263]: query[PTR] 42.47.82.74.in-addr.arpa from 127.0.0.1
Jun 28 06:32:48 fwkn01 dnsmasq[43263]: query[PTR] 109.96.126.209.in-addr.arpa from 127.0.0.1
Jun 28 07:17:52 fwkn01 dnsmasq[43263]: query[PTR] 30.246.143.83.in-addr.arpa from 127.0.0.1
Jun 28 09:17:10 fwkn01 dnsmasq[43263]: query[PTR] 237.113.149.80.in-addr.arpa from 127.0.0.1
Jun 28 09:17:10 fwkn01 dnsmasq[43263]: query[PTR] 199.26.16.172.in-addr.arpa from 127.0.0.1
Jun 28 09:17:10 fwkn01 dnsmasq[43263]: query[PTR] 237.113.149.80.in-addr.arpa from 127.0.0.1
Jun 28 09:40:54 fwkn01 dnsmasq[43263]: query[PTR] 25.8.6.185.in-addr.arpa from 127.0.0.1
Jun 28 09:40:55 fwkn01 dnsmasq[43263]: query[PTR] 4.0.248.151.in-addr.arpa from 127.0.0.1
Jun 28 09:42:01 fwkn01 dnsmasq[43263]: query[PTR] 234.81.161.192.in-addr.arpa from 127.0.0.1list of successfully resolved reverse queries since jun23:
[admin@fwkn01]/var/log: clog resolver.log | egrep "127.0.0.1|reply" | grep -v NXDOMAIN | grep -v ixsys | grep reply | cut -d " " -f 9 | sort | uniq -c|sort -rn
5 127.0.0.1
4 ns3.cloudflare.com
4 ns0.ja.net
3 ns4.cloudflare.com
2 z.nic.de
2 support.mesch.dtag.de
2 secondary006.dtag.net
2 secondary000.dtag.net
2 scanresearch1.syssec.ruhr-uni-bochum.de
2 scan-out.mmci.uni-saarland.de
2 researchscan311.eecs.umich.edu
2 researchscan310.eecs.umich.edu
2 pns.DTAG.DE
2 pete.ns.cloudflare.com
2 pdns196.ultradns.org
2 pdns196.ultradns.info
2 pdns196.ultradns.com
2 pdns196.ultradns.co.uk
2 pdns196.ultradns.biz
2 nsd.nic.uk
2 nsc.nic.uk
2 nsb8.schlundtech.de
2 nsb.nic.uk
2 nsb.domain-robot.org
2 nsa.nic.uk
2 ns7.cloudflare.com
2 ns62.1and1.fr
2 ns6.nameserverservice.de
2 ns6.dnsmadeeasy.com
2 ns6.cloudflare.com
2 ns5.lithium.com
2 ns5.dns.nl
2 ns5.cloudflare.com
2 ns5.cbsig.net
2 ns4.no-ip.com
2 ns4.google.com
2 ns4.dnsmadeeasy.com
2 ns4.dns.nl
2 ns4.cbsig.net
2 ns4-66.akam.net
2 ns3.lo-res.org
2 ns3.google.com
2 ns3.dns.nl
2 ns3.denic.de
2 ns3-64.akam.net
2 ns2.pop-hannover.net
2 ns2.plusline.net
2 ns2.plusline.de
2 ns2.no-ip.com
2 ns2.nic.fr
2 ns2.nameserverservice.de
2 ns2.google.com
2 ns2.globvill.de
2 ns2.cbsig.net
2 ns2.audi.de
2 ns11.cbsig.net
2 ns1.zurich.surf.net
2 ns1.surfnet.nl
2 ns1.plusline.net
2 ns1.plusline.de
2 ns1.no-ip.com
2 ns1.ja.net
2 ns1.google.com
2 ns1.globvill.de
2 ns1.denic.de
2 ns1.cbsig.net
2 ns1-67.akam.net
2 ns1-66.akam.net
2 ns.txx.plusline.de
2 ns.s.plusline.de
2 ns.pop-hannover.de
2 ns.plusline.de
2 ns.asys-h.de
2 ns-org.ui-dns.org
2 ns-de.ui-dns.de
2 ns-com.ui-dns.com
2 ns-biz.ui-dns.biz
2 ns-940.awsdns-53.net
2 ns-798.awsdns-35.net
2 ns-781.awsdns-33.net
2 ns-709.awsdns-24.net
2 ns-628.awsdns-14.net
2 ns-622.awsdns-13.net
2 ns-618.awsdns-13.net
2 ns-460.awsdns-57.com
2 ns-450.awsdns-56.com
2 ns-43.awsdns-05.com
2 ns-421.awsdns-52.com
2 ns-400.awsdns-50.com
2 ns-380.awsdns-47.com
2 ns-371.awsdns-46.com
2 ns-1and1.ui-dns.com
2 ns-1and1.ui-dns.biz
2 ns-1958.awsdns-52.co.uk
2 ns-1948.awsdns-51.co.uk
2 ns-1778.awsdns-30.co.uk
2 ns-1774.awsdns-29.co.uk
2 ns-1631.awsdns-11.co.uk
2 ns-161.awsdns-20.com
2 ns-1603.awsdns-08.co.uk
2 ns-1382.awsdns-44.org
2 n.de.net
2 m.gtld-servers.net
2 l.root-servers.net
2 l.gtld-servers.net
2 l.de.net
2 k.root-servers.net
2 k.gtld-servers.net
2 j.root-servers.net
2 j.gtld-servers.net
2 i.root-servers.net
2 hk-sec4.apnic.net
2 he-mgt.network.i22.de
2 g.gtld-servers.net
2 g.ext.nic.fr
2 f.root-servers.net
2 f.nic.de
2 f.gtld-servers.net
2 e.root-servers.net
2 e.ext.nic.fr
2 dojo.census.shodan.io
2 dns50.t-ipnet.de
2 dns4.nic.uk
2 dns3.nic.uk
2 dns2.nic.uk
2 dns1.nic.uk
2 dns01.sul.t-online.de
2 dns01.sda.t-online.de
2 dns00.sul.t-online.de
2 dns00.btx.dtag.de
2 dns.voerde.globvill.de
2 dns.dns3.de
2 census9.shodan.io
2 c.ns14.net
2 c.gtld.biz
2 c.gtld-servers.net
2 b2.info.afilias-nst.org
2 b0.org.afilias-nst.org
2 b.root-servers.net
2 b.ns14.net
2 b.gtld-servers.net
2 b.cctld.us
2 b.au
2 auth60.ns.uu.net
2 auth54.ns.de.uu.net
2 auth50.ns.de.uu.net
2 auth200.ns.uu.net
2 auth04.ns.de.uu.net
2 auth00.ns.de.uu.net
2 au.gamma.aridns.net.au
2 au.delta.aridns.net.au
2 au.beta.aridns.net.au
2 ari.gamma.aridns.net.au
2 ari.delta.aridns.net.au
2 ari.beta.aridns.net.au
2 ari.alpha.aridns.net.au
2 a96-7-50-192.deploy.akamaitechnologies.com
2 a96-7-49-194.deploy.akamaitechnologies.com
2 a96-7-49-193.deploy.akamaitechnologies.com
2 a95-101-36-192.deploy.akamaitechnologies.com
2 a95-100-173-192.deploy.akamaitechnologies.com
2 a95-100-168-194.deploy.akamaitechnologies.com
2 a95-100-168-193.deploy.akamaitechnologies.com
2 a88-221-254-28.deploy.akamaitechnologies.com
2 a88-221-118-159.deploy.akamaitechnologies.com
2 a84-53-139-192.deploy.akamaitechnologies.com
2 a7-64.akam.net
2 a6-67.akam.net
2 a23-74-25-192.deploy.static.akamaitechnologies.com
2 a23-61-199-194.deploy.static.akamaitechnologies.com
2 a23-211-61-193.deploy.static.akamaitechnologies.com
2 a22-67.akam.net
2 a2-22-230-192.deploy.akamaitechnologies.com
2 a2-16-60-22.deploy.akamaitechnologies.com
2 a2-16-60-133.deploy.akamaitechnologies.com
2 a2-16-60-132.deploy.akamaitechnologies.com
2 a2-16-40-192.deploy.akamaitechnologies.com
2 a184-85-248-193.deploy.static.akamaitechnologies.com
2 a184-26-161-192.deploy.static.akamaitechnologies.com
2 a184-26-160-192.deploy.static.akamaitechnologies.com
2 a18-64.akam.net
2 a12-67.akam.net
2 a11-66.akam.net
2 a1-67.akam.net
2 a1-66.akam.net
2 a0.org.afilias-nst.info
2 a.gtld.biz
2 a.au
2 G.ROOT-SERVERS.NET
2 Debian8202243.aspadmin.net
2 C0.INFO.AFILIAS-NST.INFO
2 7-202-237-104.reverse-dns.denver
2 203-76-174-59.revdns.8toinfinity.com.sg
2 116-193-159-66.pacswitch.com
1 z.dns.eu
1 z.arin.net
1 y.dns.eu
1 xo.cybercon.de
1 xenon.bund.de
1 xe-0.telnetscanproject.org.dllstx09.us.bb.gin.ntt.net
1 x.dns.eu
1 x.arin.net
1 www.rainbowisp.co.in
1 www.otans.com
1 www.highflyexchange.com
1 worker-06-23-9.stretchoid.com
1 worker-06-23-81.stretchoid.com
1 worker-06-23-46.stretchoid.com
1 worker-06-23-44.stretchoid.com
1 worker-06-23-37.stretchoid.com
1 worker-06-23-12.stretchoid.com
1 worker-05-31-88.stretchoid.com
1 worker-05-31-81.stretchoid.com
1 worker-05-31-63.stretchoid.com
1 worker-05-31-59.stretchoid.com
1 worker-05-31-15.stretchoid.com
1 wombat.dhs.org
1 webhost1.mel.xi.com.au
1 vpn-gw-prod-009.dal0-sfl.ff.avast.com
1 v49.gametris.com
1 usve255809.serverprofi24.net
1 uk.dns.eu
1 u2.amazonaws.com
1 u1.amazonaws.com
1 u.ns.at
1 u.arin.net
1 srv3-bmcecapitalgestion.ma
1 srv3-bmcecapitalgestion.com
1 srv3-bkg.ma
1 slcheong.com
1 sky.census.shodan.io
1 si.dns.eu
1 serveur.statistic.gov.ma
1 server1.ecopaper.com.br
1 sck.stargard.pl
1 researchscan318.eecs.umich.edu
1 researchscan317.eecs.umich.edu
1 researchscan316.eecs.umich.edu
1 researchscan315.eecs.umich.edu
1 researchscan314.eecs.umich.edu
1 researchscan313.eecs.umich.edu
1 researchscan312.eecs.umich.edu
1 researchscan309.eecs.umich.edu
1 researchscan308.eecs.umich.edu
1 researchscan307.eecs.umich.edu
1 researchscan306.eecs.umich.edu
1 researchscan305.eecs.umich.edu
1 researchscan304.eecs.umich.edu
1 researchscan303.eecs.umich.edu
1 res2.is.centurylink.net
1 remote.tramontaklima.cz
1 rc.hotkeys.com
1 r.ns.at
1 pwmbrasil.static.gvt.net.br
1 posta.gmm.com.tr
1 posta.corobo.com
1 posta.bloway.com.tr
1 posta.ankaelektrik.com
1 pool-108-18-165-252.washdc.east.verizon.net
1 pirate.census.shodan.io
1 pdns249.ultradns.net
1 pdns196.ultradns.net
1 orion.kriegisch.at
1 orcldns3.ultradns.biz
1 orcldns2.ultradns.net
1 orcldns1.ultradns.com
1 obdns02.myexchangehost.com
1 nuernberg.bund.de
1 nsd8.schlundtech.de
1 nsd.domain-robot.org
1 nsc8.schlundtech.de
1 nsc0.schlundtech.de
1 nsc.domain-robot.org
1 nsa8.schlundtech.de
1 nsa.domain-robot.org
1 ns9.univie.ac.at
1 ns9.host1plus.com
1 ns8.dnsmadeeasy.com
1 ns7.markmonitor.com
1 ns7.dynamicnetworkservices.net
1 ns7.dnsmadeeasy.com
1 ns7-67.akam.net
1 ns6.skybroadband.com.ph
1 ns6.markmonitor.com
1 ns6.kasserver.com
1 ns6.dynamicnetworkservices.net
1 ns5.skybroadband.com.ph
1 ns5.nameserverservice.de
1 ns5.maxis.net.my
1 ns5.markmonitor.com
1 ns5.kasserver.com
1 ns5.inwx.net
1 ns5.dynamicnetworkservices.net
1 ns5.dnsmadeeasy.com
1 ns5-67.akam.net
1 ns42.hostforweb.net
1 ns41.hostforweb.net
1 ns4.skybroadband.com.ph
1 ns4.p31.dynect.net
1 ns4.markmonitor.com
1 ns4.dynamicnetworkservices.net
1 ns4.bbc.co.uk
1 ns39.1und1.de
1 ns34.skybroadband.com.ph
1 ns33.skybroadband.com.ph
1 ns3.skybroadband.com.ph
1 ns3.p31.dynect.net
1 ns3.no-ip.com
1 ns3.markmonitor.com
1 ns3.inwx.eu
1 ns3.dynamicnetworkservices.net
1 ns3.dnsmadeeasy.com
1 ns3.bbc.co.uk
1 ns3-eu.123ns.eu
1 ns3-67.akam.net
1 ns20.domaincontrol.com
1 ns2.wikimedia.org
1 ns2.upc.biz
1 ns2.univie.ac.at
1 ns2.telefonica-data.com
1 ns2.surfnet.nl
1 ns2.serversure.net
1 ns2.pnap.net
1 ns2.p31.dynect.net
1 ns2.nodesecure.de
1 ns2.markmonitor.com
1 ns2.inwx.de
1 ns2.dynamicnetworkservices.net
1 ns2.dnsmadeeasy.com
1 ns2.connect.net.pk
1 ns2.anycastdns.ch
1 ns2.anet.net.tr
1 ns2-i.rollernet.us
1 ns2-eu.123ns.de
1 ns19.domaincontrol.com
1 ns14.domaincontrol.com
1 ns1.wikimedia.org
1 ns1.volsolutions.pl
1 ns1.upc.biz
1 ns1.telkom.net.id
1 ns1.palcom.com.tw
1 ns1.p31.dynect.net
1 ns1.p16.dynect.net
1 ns1.nodesecure.com
1 ns1.nameserverservice.de
1 ns1.gd.cnmobile.net
1 ns1.gd.chinamobile.com
1 ns1.gchao.com
1 ns1.dynamicnetworkservices.net
1 ns1.dnsmadeeasy.com
1 ns1.compalcomm.com
1 ns1.communitydns.net
1 ns1.bermanblake.com
1 ns1.anet.net.tr
1 ns1-i.rollernet.us
1 ns1-eu.123ns.eu
1 ns1-198.akam.net
1 ns0.wikimedia.org
1 ns0.thdow.bbc.co.uk
1 ns0.rbsov.bbc.co.uk
1 ns0.fft.bbc.co.uk
1 ns0.dnsmadeeasy.com
1 ns.udag.org
1 ns.udag.net
1 ns.udag.de
1 ns.serversure.net
1 ns.metro.info
1 ns.metro.de
1 ns.lzptt.gx.cn
1 ns.km20127.keymachine.de
1 ns.immobilienscout24.de
1 ns.gxnnptt.net.cn
1 ns.domrobot.net
1 ns-lacnic.nic.mx
1 ns-de.ui-dns.org
1 ns-com.ui-dns.de
1 ns-com.ui-dns.biz
1 ns-cloud-d1.googledomains.com
1 ns-cloud-c1.googledomains.com
1 ns-biz.ui-dns.de
1 ns-967.awsdns-56.net
1 ns-956.awsdns-55.net
1 ns-952.awsdns-55.net
1 ns-923.awsdns-51.net
1 ns-919.awsdns-50.net
1 ns-906.awsdns-49.net
1 ns-903.awsdns-48.net
1 ns-821.awsdns-38.net
1 ns-817.awsdns-38.net
1 ns-815.awsdns-37.net
1 ns-813.awsdns-37.net
1 ns-758.awsdns-30.net
1 ns-739.awsdns-28.net
1 ns-730.awsdns-27.net
1 ns-707.awsdns-24.net
1 ns-666.awsdns-19.net
1 ns-63.awsdns-07.com
1 ns-576.awsdns-08.net
1 ns-572.awsdns-07.net
1 ns-500.awsdns-62.com
1 ns-494.awsdns-61.com
1 ns-492.awsdns-61.com
1 ns-489.awsdns-61.com
1 ns-461.awsdns-57.com
1 ns-456.awsdns-57.com
1 ns-425.awsdns-53.com
1 ns-4.awsdns-00.com
1 ns-358.awsdns-44.com
1 ns-347.awsdns-43.com
1 ns-341.awsdns-42.com
1 ns-327.awsdns-40.com
1 ns-27.awsdns-03.com
1 ns-2023.awsdns-60.co.uk
1 ns-1960.awsdns-53.co.uk
1 ns-1852.awsdns-39.co.uk
1 ns-1838.awsdns-37.co.uk
1 ns-1823.awsdns-35.co.uk
1 ns-1817.awsdns-35.co.uk
1 ns-1790.awsdns-31.co.uk
1 ns-1780.awsdns-30.co.uk
1 ns-1772.awsdns-29.co.uk
1 ns-1742.awsdns-25.co.uk
1 ns-1725.awsdns-23.co.uk
1 ns-1707.awsdns-21.co.uk
1 ns-1614.awsdns-09.co.uk
1 ns-1613.awsdns-09.co.uk
1 ns-1537.awsdns-00.co.uk
1 ns-1498.awsdns-59.org
1 ns-1496.awsdns-59.org
1 ns-142.awsdns-17.com
1 ns-1395.awsdns-46.org
1 ns-1393.awsdns-46.org
1 ns-139.awsdns-17.com
1 ns-1387.awsdns-45.org
1 ns-1372.awsdns-43.org
1 ns-1363.awsdns-42.org
1 ns-1351.awsdns-40.org
1 ns-131.awsdns-16.com
1 ns-129.awsdns-16.com
1 ns-1214.awsdns-23.org
1 ns-1209.awsdns-23.org
1 ns-1196.awsdns-21.org
1 ns-1194.awsdns-21.org
1 ns-119.awsdns-14.com
1 ns-1113.awsdns-11.org
1 ns-1060.awsdns-04.org
1 ns-1059.awsdns-04.org
1 ns-1053.awsdns-03.org
1 ns-1038.awsdns-01.org
1 ns-1030.awsdns-00.org
1 ns-1028.awsdns-00.org
1 nl.dns.eu
1 ninja.census.shodan.io
1 nina.ns.cloudflare.com
1 mxout1.serverproof.net
1 mo-71-51-209-17.dhcp.embarqhsd.net
1 mate.lo-res.org
1 mason.census.shodan.io
1 mailhost.techtarget.com
1 mail1.companya1.pw
1 mail.passaromarron.com.br
1 mail.menhoo.com
1 mail.icaslegal.com
1 mail.gunaydesign.com
1 mail.e-turn.net
1 m4705.contaboserver.net
1 ll212-34-27-217-212.ll212.iam.net.ma
1 ll194-210-233-204-194.ll194.iam.net.ma
1 li1610-103.members.linode.com
1 lb-182-207.above.com
1 k.cctld.us
1 jenkins-edamame.osuosl.org
1 j.ns.at
1 isr82.internetdsl.tpnet.pl
1 isp-dns1.fpt.vn
1 ip66-3-44-167.z44-3-66.customer.algx.net
1 ip59.ip-217-182-39.eu
1 ip50.ip-188-165-24.eu
1 ip198.ip-79-137-3.eu
1 ip03.block01.shieldy.eu
1 ip-space-by.osso.nl
1 ip-177-77-151-32.user.vivozap.com.br
1 ip-173-254-179-200.ragingwire.net
1 ip-15-214-239-173.east.us.northamericancoax.com
1 i.gtld-servers.net
1 host42-35-static.46-85-b.business.telecomitalia.it
1 hcm-dns1.sctv.vn
1 h.gtld-servers.net
1 gqf91.internetdsl.tpnet.pl
1 gateny.fame.com
1 fra14.ff.avast.com
1 fra03-016.ff.avast.com
1 fl-184-0-239-188.dhcp.centurylinkservices.net
1 f.gtld.biz
1 eser02-dns.xenet.de
1 eser01-dns.xenet.de
1 e.gtld.biz
1 e.gtld-servers.net
1 e.cctld.us
1 dominus.nettron.net.br
1 dnsresearch.cymru.com
1 dns5.registrar-servers.com
1 dns4.registrar-servers.com
1 dns3.registrar-servers.com
1 dns2.viettel.com.vn
1 dns2.vietel.com.vn
1 dns2.telkom.net.id
1 dns2.telekom.de
1 dns2.registrar-servers.com
1 dns2.psychz.net
1 dns2.namecheaphosting.com
1 dns1.wocloud.cn
1 dns1.viettel.com.vn
1 dns1.vietel.com.vn
1 dns1.telstra.net
1 dns1.telkom.net.id
1 dns1.shahrad.net
1 dns1.registrar-servers.com
1 dns1.namecheaphosting.com
1 dns1.hcm.fpt.vn
1 dns1.bmcek.co.ma
1 dns01.thinkcsc.net
1 dns01.germanwings.com
1 dns00.sda.t-online.de
1 dns.tsinghua.edu.cn
1 dns.globvill.de
1 dns.dns4.de
1 dns.dns2.de
1 dns.dns1.de
1 dns.connect.net.pk
1 dns.bmcek.co.ma
1 dns-1.dfn.de
1 dhcp-202-58-157-201.voip.canet.ne.jp
1 dell.ns.cloudflare.com
1 dauntless.sleepycat.com.au
1 dana.ns.cloudflare.com
1 damon.ns.cloudflare.com
1 dalek.spiridon.org
1 d33.verisigndns.com
1 d32.verisigndns.com
1 d31.verisigndns.com
1 d3.verisigndns.com
1 d23.verisigndns.com
1 d22.verisigndns.com
1 d21.verisigndns.com
1 d2.verisigndns.com
1 d0.org.afilias-nst.org
1 d.root-servers.net
1 d.ns14.net
1 d.ns.at
1 d.gtld-servers.net
1 cz.dns.eu
1 cmtu.mt.ns.els-gms.att.net
1 census4.shodan.io
1 census12.shodan.io
1 census1.shodan.io
1 c0.org.afilias-nst.org
1 c0.nic.payu
1 c.root-servers.net
1 c.in-addr-servers.arpa
1 c.customer-auth.net
1 c.cctld.us
1 burger.census.shodan.io
1 ben.ns.cloudflare.com
1 bamberg.bund.de
1 b4-1.oneworlddns.net
1 b3-1.oneworlddns.net
1 b2.org.afilias-nst.org
1 b0.nic.payu
1 b.xnameserver.de
1 b.gtld.biz
1 b.customer-auth.net
1 auth23.ns.gin.ntt.net
1 auth22.ns.gin.ntt.net
1 auth210.ns.uu.net
1 auth2.ns.sxb.ps-intern.de
1 auth1.ns.cgn.ps-intern.de
1 auth00.ns.uu.net
1 aut-mysql2.cybercon.de
1 audac213.static.gvt.net.br
1 au.alpha.aridns.net.au
1 atlantic.census.shodan.io
1 asia3.akam.net
1 arin.authdns.ripe.net
1 argon.bund.de
1 anysec.apnic.net
1 ans2.hinet.net
1 ans02.domaincontrol.com
1 ans01.domaincontrol.com
1 ams01-029.ff.avast.com
1 adsl-pool2-162.metrotel.net.co
1 adsl-75-0-244-137.dsl.crchtx.sbcglobal.net
1 adsl-065-012-227-142.sip.mia.bellsouth.net
1 a95-101-91-84.deploy.akamaitechnologies.com
1 a95-100-169-37.deploy.akamaitechnologies.com
1 a95-100-169-36.deploy.akamaitechnologies.com
1 a9-67.akam.net
1 a88-221-81-194.deploy.akamaitechnologies.com
1 a88-221-118-150.deploy.akamaitechnologies.com
1 a88-221-118-148.deploy.akamaitechnologies.com
1 a7-67.akam.net
1 a5-67.akam.net
1 a5-65.akam.net
1 a4-67.akam.net
1 a3-67.akam.net
1 a28-67.akam.net
1 a23-61-199-193.deploy.static.akamaitechnologies.com
1 a23-211-133-192.deploy.static.akamaitechnologies.com
1 a22-64.akam.net
1 a2.org.afilias-nst.info
1 a2.info.afilias-nst.info
1 a2-67.akam.net
1 a2-22-230-193.deploy.akamaitechnologies.com
1 a184-85-248-194.deploy.static.akamaitechnologies.com
1 a18-67.akam.net
1 a18-65.akam.net
1 a16-65.akam.net
1 a13-67.akam.net
1 a13-65.akam.net
1 a12-65.akam.net
1 a11-67.akam.net
1 a11-64.akam.net
1 a1-198.akam.net
1 a0.nic.payu
1 a.root-servers.net
1 a.ns14.net
1 a.nic.de
1 a.gtld-servers.net
1 a.dns.cn
1 a.customer-auth.net
1 a.cctld.us
1 a.arpa.dns.br
1 UNKNOWN-68-180-131-X.yahoo.com
1 SIK4Landing-cns02.northlake.il.ndcchgo.comcast.net
1 NODATA-IPv6
1 M.ROOT-SERVERS.NET
1 LNeuilly-656-1-148-64.w80-11.abo.wanadoo.fr
1 HSI-KBW-095-208-208-250.hsi5.kabel-badenwuerttemberg.de
1 B0.INFO.AFILIAS-NST.ORG
1 A0.INFO.AFILIAS-NST.INFO
1 92.36.77.222.broad.qz.fj.dynamic.163data.com.cn
1 88.247.171.96.dynamic.ttnet.com.tr
1 85.105.170.119.static.ttnet.com.tr
1 85.105.133.229.static.ttnet.com.tr
1 85.102.151.106.dynamic.ttnet.com.tr
1 81.213.63.139.dynamic.ttnet.com.tr
1 78.189.85.27.dynamic.ttnet.com.tr
1 78.188.37.88.dynamic.ttnet.com.tr
1 64.125.239.9.IPYX-103607-ZYO.zip.zayo.com
1 64.125.239.8.IPYX-103607-ZYO.zip.zayo.com
1 64.125.239.6.IPYX-103607-ZYO.zip.zayo.com
1 64.125.239.5.IPYX-103607-ZYO.zip.zayo.com
1 64.125.239.3.IPYX-103607-ZYO.zip.zayo.com
1 64.125.239.23.IPYX-103607-ZYO.zip.zayo.com
1 64.125.239.22.IPYX-103607-ZYO.zip.zayo.com
1 64.125.239.21.IPYX-103607-ZYO.zip.zayo.com
1 64.125.239.20.IPYX-103607-ZYO.zip.zayo.com
1 64.125.239.2.IPYX-103607-ZYO.zip.zayo.com
1 64.125.239.19.IPYX-103607-ZYO.zip.zayo.com
1 64.125.239.18.IPYX-103607-ZYO.zip.zayo.com
1 64.125.239.17.IPYX-103607-ZYO.zip.zayo.com
1 64.125.239.16.IPYX-103607-ZYO.zip.zayo.com
1 64.125.239.15.IPYX-103607-ZYO.zip.zayo.com
1 64.125.239.14.IPYX-103607-ZYO.zip.zayo.com
1 64.125.239.13.IPYX-103607-ZYO.zip.zayo.com
1 64.125.239.12.IPYX-103607-ZYO.zip.zayo.com
1 64.125.239.11.IPYX-103607-ZYO.zip.zayo.com
1 64.125.239.10.IPYX-103607-ZYO.zip.zayo.com
1 62.169.90.150.rev.optimus.pt
1 62-210-152-191.rev.poneytelecom.eu
1 59-124-225-233.HINET-IP.hinet.net
1 59-124-140-68.HINET-IP.hinet.net
1 53.139.28.117.broad.xm.fj.dynamic.163data.com.cn
1 50-202-27-98-static.hfc.comcastbusiness.net
1 44.205.164.60.dail.ln.gs.dynamic.163data.com.cn
1 233.63.157.27.broad.zz.fj.dynamic.163data.com.cn
1 212.175.250.232.static.ttnet.com.tr
1 212-112-50-22.sajtus.se
1 201-91-72-173.customer.tdatabrasil.net.br
1 201-175-0-78.kionetworks.com
1 200-113-125-82.static.tie.cl
1 173-202-151-102.dyn.centurytel.net
1 172.16.30.39
1 105.161.92.117.broad.lyg.js.dynamic.163data.com.cn
1 103-10-197-18.pacswitch.com
1 103-10-197-106.pacswitch.com -
apparently, i see an entry being added when doing a portscan on the public interface from an external adress.
so something on the firewall detects that somebody is trying to connect from remote and does a reverse lookup
-
I quite often see blocked DNS lookups from *.stretchoid.com hitting my default deny on my WAN interface.
Do you allow DNS requests to your WAN interface.
-
What DNS Servers do you have defined under System > General? If you have no DNS Servers configured, even if you omit localhost for DNS it will be used because the OS assumes localhost by default if no DNS servers are defined.
apparently, i see an entry being added when doing a portscan on the public interface from an external adress.
so something on the firewall detects that somebody is trying to connect from remote and does a reverse lookup
Nothing in the default base system would do that, do you have any packages such as Snort or Suricata installed?
-
My firewall is exhibiting the same symptoms. No unknown DNS calls on the LAN side, plenty on the WAN side. PFSense 2.4.2-RELEASE-p1 running the following packages.
Suricata 4.0.3_1
squid 0.4.43
acme 0.2.2I'm not a fan of my firewall making connections to servers I did not explicitly state.