strange DNS requests

uvlkamozej.com

New Member
Joined
Mar 18, 2024
Messages
2
Reaction score
0
Credits
19
Hi,

I did a fresh install of Debian gnome shell with default settings, but I notice that the system makes daily DNS requests for two domains, Example.com and IPv4only.arpa, the most strange was a DNS application for the domain web.telegram.com, I have no Telegram client installed and I was not using your website so it does not make sense, I want to know if this is normal and common.
 


# example.com

DNS queries to example.com are most likely something someone "forgot" to remove from his application before pushing it to the debian mirrors. example.com is reserved by IANA and not a real domain. Its just for developing software or as an example domain in answering forum questions ;) You can learn more about it on wikipedia.


# IPv4only.arpa

If you have the local IP address 192.168.1.1a reverse DNS lookup might return a domain name like host.example.com. This can be useful for identifying the hostname associated with an IP address, which is often used in networking and server administration. Example:

Code:
user@host:~$ host 23.48.165.132
132.165.48.23.in-addr.arpa domain name pointer a23-48-165-132.deploy.static.akamaitechnologies.com.

So, IPv4only.arpa is the domain used for reverse DNS lookups of IPv4 addresses. If your system is making DNS queries for IPv4only.arpa, it's likely performing reverse DNS lookups for IPv4 addresses on your network. This is part of normal network operations and isnt usually a cause for concern.


# why web.telegram.com

That I can not tell you, but with the answer of mine below you might be able to find out. Its getting much more fun when you look for facebook domains, just from opening a browser or whatever tool.


# Furthermore

Personally I use dnscrypt-proxy, which not only encrypts all your DNS traffic so your ISP cant read it, but also lets you define white or blacklists for domains that should be able to be resolved. This way you can block nonsense like telegram.com and facebook and alike domains.

When you wireshark or tcpdump your laptops traffic, sadly even with debian (but much less so than with other more popular operating systems), you will notice a LOT of weird traffic like this designed to track you.

To my knowledge both tcpdump and wireguard can not tell you which process (id) is currently generating traffic, just on which network interface traffic is going in / out. You might be able to look at what network traffic a specific program generates with strace, here with the example of firefox (this command will not start firefox but look for a running firefox and "trace" it)

Code:
sudo strace -e trace=network -s 1000 -f -p $(pgrep -d ',' firefox) 2>&1 | grep 'sendto\|recvfrom'

However the output is a bit annoying.

You can show which processes are CURRENTLY using port 53:

Code:
sudo netstat -tulnp | grep :53
sudo lsof -i :53
sudo ss -tulwn | grep :53

And you might be able to correlate that to a tcpdump / wireshark that you run in a second window.

Its always interesting to snoop around in your own dns traffic ;) If you really want to have fun try https://www.qubes-os.org/, which lets you isolate each application (or each group of applications) into XEN VMs, where you can then have one (or more) firewall VMs with which you can identify the traffic further.

Long story short:

so it does not make sense

try to use the answers above to find out what was doing that. Furthermore use dnscrypt-proxy to a) log all dns queries and b) block everything you dont like, or create a whitelist (not utterly usable). You can also download blocklists from github for social trackers like telegram / facebook / what not.

I want to know if this is normal and common.

Yes its normal. Sadly.
 
# example.com

DNS queries to example.com are most likely something someone "forgot" to remove from his application before pushing it to the debian mirrors. example.com is reserved by IANA and not a real domain. Its just for developing software or as an example domain in answering forum questions ;) You can learn more about it on wikipedia.


# IPv4only.arpa

If you have the local IP address 192.168.1.1a reverse DNS lookup might return a domain name like host.example.com. This can be useful for identifying the hostname associated with an IP address, which is often used in networking and server administration. Example:

Code:
user@host:~$ host 23.48.165.132
132.165.48.23.in-addr.arpa domain name pointer a23-48-165-132.deploy.static.akamaitechnologies.com.

So, IPv4only.arpa is the domain used for reverse DNS lookups of IPv4 addresses. If your system is making DNS queries for IPv4only.arpa, it's likely performing reverse DNS lookups for IPv4 addresses on your network. This is part of normal network operations and isnt usually a cause for concern.


# why web.telegram.com

That I can not tell you, but with the answer of mine below you might be able to find out. Its getting much more fun when you look for facebook domains, just from opening a browser or whatever tool.


# Furthermore

Personally I use dnscrypt-proxy, which not only encrypts all your DNS traffic so your ISP cant read it, but also lets you define white or blacklists for domains that should be able to be resolved. This way you can block nonsense like telegram.com and facebook and alike domains.

When you wireshark or tcpdump your laptops traffic, sadly even with debian (but much less so than with other more popular operating systems), you will notice a LOT of weird traffic like this designed to track you.

To my knowledge both tcpdump and wireguard can not tell you which process (id) is currently generating traffic, just on which network interface traffic is going in / out. You might be able to look at what network traffic a specific program generates with strace, here with the example of firefox (this command will not start firefox but look for a running firefox and "trace" it)

Code:
sudo strace -e trace=network -s 1000 -f -p $(pgrep -d ',' firefox) 2>&1 | grep 'sendto\|recvfrom'

However the output is a bit annoying.

You can show which processes are CURRENTLY using port 53:

Code:
sudo netstat -tulnp | grep :53
sudo lsof -i :53
sudo ss -tulwn | grep :53

And you might be able to correlate that to a tcpdump / wireshark that you run in a second window.

Its always interesting to snoop around in your own dns traffic ;) If you really want to have fun try https://www.qubes-os.org/, which lets you isolate each application (or each group of applications) into XEN VMs, where you can then have one (or more) firewall VMs with which you can identify the traffic further.

Long story short:



try to use the answers above to find out what was doing that. Furthermore use dnscrypt-proxy to a) log all dns queries and b) block everything you dont like, or create a whitelist (not utterly usable). You can also download blocklists from github for social trackers like telegram / facebook / what not.



Yes its normal. Sadly.
hi,

I observe that xfce shell is the one with less telemetry and so many unnecessary elements, is that true and any recommendation?

thanks for answering
 
Thats quite possible. Personally I use i3wm, which I can HIGHLY recommend ;)

Its a tiling window manager and its extremely light weight. You do everything by keyboard instead of arranging your windows by mouse and you start programs from a terminal by typing "firefox" instead of clicking around. Upside: you get all the debug output in said terminal.
From what you write you might enjoy it a lot. It will take you about 1-2 hours to get used to a tiling wm, and about 30 minutes before that to setup a good config.
I have been using i3wm for 6 or more years now. I would never go back to a normal window manager. I even use sxmo on a pinephone (a tiling window manager for a phone) x)
 
xfce shell

ah - do you mean xfce4 as a window manager or xfce4-terminal as a graphical terminal emulator?

I actually have never tested which tool spams the least in that regard, but if you are annoyed by this the best way really is to "containerize" or "jail" your applications. This means that they can request things, but they wont succeed x) You just limit which IPs / Domains / Ports / Protocols they can use to contact the internet. It is much harder to find software that full respects your privacy the way you want it to, but it is rather easy to jail applications that do not do that so you can use them anyways.

Best approach for this would be Qubes-OS, or a BSD with using applications in Jails - but to my knowledge Qubes is the most usable approach if you are not really really hard into linux and all that. Plus it comes with a free whoonix installation so if you value privacy, you should really check it out.
 
# example.com

DNS queries to example.com are most likely something someone "forgot" to remove from his application before pushing it to the debian mirrors. example.com is reserved by IANA and not a real domain. Its just for developing software or as an example domain in answering forum questions ;) You can learn more about it on wikipedia.


# IPv4only.arpa

If you have the local IP address 192.168.1.1a reverse DNS lookup might return a domain name like host.example.com. This can be useful for identifying the hostname associated with an IP address, which is often used in networking and server administration. Example:

Code:
user@host:~$ host 23.48.165.132
132.165.48.23.in-addr.arpa domain name pointer a23-48-165-132.deploy.static.akamaitechnologies.com.

So, IPv4only.arpa is the domain used for reverse DNS lookups of IPv4 addresses. If your system is making DNS queries for IPv4only.arpa, it's likely performing reverse DNS lookups for IPv4 addresses on your network. This is part of normal network operations and isnt usually a cause for concern.


# why web.telegram.com

That I can not tell you, but with the answer of mine below you might be able to find out. Its getting much more fun when you look for facebook domains, just from opening a browser or whatever tool.


# Furthermore

Personally I use dnscrypt-proxy, which not only encrypts all your DNS traffic so your ISP cant read it, but also lets you define white or blacklists for domains that should be able to be resolved. This way you can block nonsense like telegram.com and facebook and alike domains.

When you wireshark or tcpdump your laptops traffic, sadly even with debian (but much less so than with other more popular operating systems), you will notice a LOT of weird traffic like this designed to track you.

To my knowledge both tcpdump and wireguard can not tell you which process (id) is currently generating traffic, just on which network interface traffic is going in / out. You might be able to look at what network traffic a specific program generates with strace, here with the example of firefox (this command will not start firefox but look for a running firefox and "trace" it)

Code:
sudo strace -e trace=network -s 1000 -f -p $(pgrep -d ',' firefox) 2>&1 | grep 'sendto\|recvfrom'

However the output is a bit annoying.

You can show which processes are CURRENTLY using port 53:

Code:
sudo netstat -tulnp | grep :53
sudo lsof -i :53
sudo ss -tulwn | grep :53

And you might be able to correlate that to a tcpdump / wireshark that you run in a second window.

Its always interesting to snoop around in your own dns traffic ;) If you really want to have fun try https://www.qubes-os.org/, which lets you isolate each application (or each group of applications) into XEN VMs, where you can then have one (or more) firewall VMs with which you can identify the traffic further.

Long story short:



try to use the answers above to find out what was doing that. Furthermore use dnscrypt-proxy to a) log all dns queries and b) block everything you dont like, or create a whitelist (not utterly usable). You can also download blocklists from github for social trackers like telegram / facebook / what not.



Yes its normal. Sadly.
GREAT REPLY !! Very informative !! We all learn something new everyday.
 

Staff online

Members online


Top