Hi - noticed something strange and concerning about my results from netalyzr - two extra DNS servers which are based in china (203.15.156.237 and 203.15.156.238)<div><br></div><div>My Netalyzr results are at: <a href="http://n3.netalyzr.icsi.berkeley.edu/restore/id=ae81b058-5090-364c463d-cf08-4363-9e95/rd">http://n3.netalyzr.icsi.berkeley.edu/restore/id=ae81b058-5090-364c463d-cf08-4363-9e95/rd</a></div>
<div><br></div><div>The Windows 7 PC is configured for get DNS servers from DHCP server - the DHCP scope only has the three local DNS servers (192.168.200.x). IPconfig/all only shows the three servers at 192.168.200.x and checking the adapter settings confirms they are set for DHCP. No additional DNS server entries are in the local hosts file and doing a full virus/rootkit scan found no malware.</div>
<div><br></div><div>When I do a Wireshark capture of DNS packets the only DNS requests I see for these two DNS servers are for DNS A queries for  <a href="http://server.u413.n3.netalyzr.icsi.berkeley.edu">server.u413.n3.netalyzr.icsi.berkeley.edu</a>. The Netalyzer client traffic shows it finding these extra DNS servers. Just browsing normal websites (eg: <a href="http://ford.com">ford.com</a>, <a href="http://apple.com">apple.com</a>, etc) shows no DNS requests to these chinese servers. It only happens (briefly) when running Netalyzr...</div>
<div><br></div><div>I&#39;m at a loss as to where these are coming from. It sounds like a PC infection but I cant find any evidence on this. Running Netalyzer at other machines at this location do not show the extra 2 chinese DNS servers - just this one machine.</div>
<div><br></div><div>Any ideas/suggestions? Have got a Wireshark capture of all DNS traffic if needed.</div><div><br></div><div>Thanks - Shaun</div><div><br></div><div><br></div><div><br></div><div><div>177.353    main| dnsDirectIcsi=True</div>
<div>177.353    main| dnsDirectIpv6=True</div><div>177.353    main| dnsDirectNxdomain=</div><div>177.353    main| dnsDirectRecursiveOnly=False</div><div>177.353    main| dnsDirectText=True</div><div>177.353    main| dnsLargePackets=True</div>
<div>177.353    main| dnsMediumPackets=True</div><div>177.353    main| dnsPracticalMTU=4000</div><div>177.353    main| dnsRawTCPStatus=reply</div><div>177.353    main| dnsResolver1IP=203.15.156.237</div><div>177.353    main| dnsResolver1Live=False</div>
<div>177.353    main| dnsResolver2IP=203.15.156.238</div><div>177.353    main| dnsResolver2Live=False</div><div>177.353    main| dnsResolver3Authors=</div><div>177.353    main| dnsResolver3Copyright=</div><div>177.353    main| dnsResolver3DNSSECValidation=False</div>
<div>177.353    main| dnsResolver3Edns=True</div><div>177.353    main| dnsResolver3Facebook=69.171.234.21</div><div>177.353    main| dnsResolver3Hostname=</div><div>177.353    main| dnsResolver3IP=192.168.200.11</div><div>
177.353    main| dnsResolver3Icsi=True</div><div>177.353    main| dnsResolver3Ipv6=True</div><div>177.353    main| dnsResolver3Live=True</div><div>177.353    main| dnsResolver3Nxdomain=</div><div>177.353    main| dnsResolver3RootFacebook=</div>
<div>177.353    main| dnsResolver3Text=True</div><div>177.353    main| dnsResolver3TextLarge=False</div><div>177.353    main| dnsResolver3TextLargeEDNS=True</div><div>177.353    main| dnsResolver3TextMedium=False</div><div>
177.353    main| dnsResolver3Version=Microsoft+DNS+6.1.7600+%281DB04228%29</div><div>177.353    main| dnsResolver4Authors=</div><div>177.353    main| dnsResolver4Copyright=</div><div>177.353    main| dnsResolver4DNSSECValidation=False</div>
<div>177.353    main| dnsResolver4Edns=True</div><div>177.353    main| dnsResolver4Facebook=69.171.234.21</div><div>177.353    main| dnsResolver4Hostname=</div><div>177.353    main| dnsResolver4IP=192.168.200.12</div><div>
177.353    main| dnsResolver4Icsi=True</div><div>177.353    main| dnsResolver4Ipv6=True</div><div>177.353    main| dnsResolver4Live=True</div><div>177.353    main| dnsResolver4Nxdomain=</div><div>177.353    main| dnsResolver4RootFacebook=</div>
<div>177.353    main| dnsResolver4Text=True</div><div>177.353    main| dnsResolver4TextLarge=False</div><div>177.353    main| dnsResolver4TextLargeEDNS=True</div><div>177.353    main| dnsResolver4TextMedium=False</div><div>
177.353    main| dnsResolver4Version=Microsoft+DNS+6.1.7600+%281DB04228%29</div><div>177.353    main| dnsResolver5Authors=</div><div>177.353    main| dnsResolver5Copyright=</div><div>177.353    main| dnsResolver5DNSSECValidation=False</div>
<div>177.353    main| dnsResolver5Edns=True</div><div>177.353    main| dnsResolver5Facebook=69.171.234.21</div><div>177.353    main| dnsResolver5Hostname=</div><div>177.353    main| dnsResolver5IP=192.168.200.20</div><div>
177.353    main| dnsResolver5Icsi=True</div><div>177.353    main| dnsResolver5Ipv6=True</div><div>177.353    main| dnsResolver5Live=True</div><div>177.353    main| dnsResolver5Nxdomain=</div><div>177.353    main| dnsResolver5RootFacebook=</div>
<div>177.353    main| dnsResolver5Text=True</div><div>177.353    main| dnsResolver5TextLarge=False</div><div>177.353    main| dnsResolver5TextLargeEDNS=True</div><div>177.353    main| dnsResolver5TextMedium=False</div><div>
177.353    main| dnsResolver5Version=Microsoft+DNS+6.1.7600+%281DB04228%29</div><div>177.353    main| dnsRootAFacebook=</div><div>177.353    main| dnsRootAHostname=ans18-lax2</div><div>177.353    main| dnsRootAIP=198.41.0.4</div>
<div>177.353    main| dnsRootALive=True</div><div>177.353    main| dnsRootANxdomain=</div><div>177.353    main| dnsRootBFacebook=</div><div>177.353    main| dnsRootBHostname=b4</div><div>177.353    main| dnsRootBIP=192.228.79.201</div>
<div>177.353    main| dnsRootBLive=True</div><div>177.353    main| dnsRootBNxdomain=</div><div>177.353    main| dnsRootCFacebook=</div><div>177.353    main| dnsRootCHostname=<a href="http://lax1b.c.root-servers.org">lax1b.c.root-servers.org</a></div>
<div>177.353    main| dnsRootCIP=192.33.4.12</div><div>177.353    main| dnsRootCLive=True</div><div>177.353    main| dnsRootCNxdomain=</div><div>177.353    main| dnsRootDFacebook=</div><div>177.353    main| dnsRootDHostname=<a href="http://css-d.net.umd.edu">css-d.net.umd.edu</a></div>
<div>177.353    main| dnsRootDIP=128.8.10.90</div><div>177.353    main| dnsRootDLive=True</div><div>177.353    main| dnsRootDNxdomain=</div><div>177.353    main| dnsRootEFacebook=</div><div>177.353    main| dnsRootEHostname=<a href="http://e-01.syd.pch.net">e-01.syd.pch.net</a></div>
<div>177.353    main| dnsRootEIP=192.203.230.10</div><div>177.353    main| dnsRootELive=True</div><div>177.353    main| dnsRootENxdomain=</div><div>177.353    main| dnsRootFFacebook=</div><div>177.353    main| dnsRootFHostname=<a href="http://bne1b.f.root-servers.org">bne1b.f.root-servers.org</a></div>
<div>177.353    main| dnsRootFIP=192.5.5.241</div><div>177.353    main| dnsRootFLive=True</div><div>177.353    main| dnsRootFNxdomain=</div><div>177.353    main| dnsRootGFacebook=</div><div>177.353    main| dnsRootGHostname=<a href="http://g.root-servers-pac2-1.net">g.root-servers-pac2-1.net</a></div>
<div>177.353    main| dnsRootGIP=192.112.36.4</div><div>177.353    main| dnsRootGLive=True</div><div>177.353    main| dnsRootGNxdomain=</div><div>177.353    main| dnsRootHFacebook=</div><div>177.353    main| dnsRootHHostname=H3</div>
<div>177.353    main| dnsRootHIP=128.63.2.53</div><div>177.353    main| dnsRootHLive=True</div><div>177.353    main| dnsRootHNxdomain=</div><div>177.353    main| dnsRootIFacebook=</div><div>177.353    main| dnsRootIHostname=s1.prt</div>
<div>177.353    main| dnsRootIIP=192.36.148.17</div><div>177.353    main| dnsRootILive=True</div><div>177.353    main| dnsRootINxdomain=</div><div>177.353    main| dnsRootJFacebook=</div><div>177.353    main| dnsRootJHostname=jluepe1-elsyd1</div>
<div>177.353    main| dnsRootJIP=192.58.128.30</div><div>177.353    main| dnsRootJLive=True</div><div>177.353    main| dnsRootJNxdomain=</div><div>177.353    main| dnsRootKFacebook=</div><div>177.353    main| dnsRootKHostname=<a href="http://k2.tokyo.k.ripe.net">k2.tokyo.k.ripe.net</a></div>
<div>177.353    main| dnsRootKIP=193.0.14.129</div><div>177.353    main| dnsRootKLive=True</div><div>177.353    main| dnsRootKNxdomain=</div><div>177.353    main| dnsRootLFacebook=</div><div>177.353    main| dnsRootLHostname=<a href="http://bne01.l.root-servers.org">bne01.l.root-servers.org</a></div>
<div>177.353    main| dnsRootLIP=199.7.83.42</div><div>177.353    main| dnsRootLLive=True</div><div>177.353    main| dnsRootLNxdomain=</div><div>177.353    main| dnsRootMFacebook=</div><div>177.353    main| dnsRootMHostname=M-NRT-JPIX-1</div>
<div>177.353    main| dnsRootMIP=202.12.27.33</div><div>177.353    main| dnsRootMLive=True</div><div>177.353    main| dnsRootMNxdomain=</div><div>177.353    main| dnsServerV6Support=True</div><div>177.353    main| dnsSmallPackets=True</div>
<div>177.353    main| dnsTCPStatus=tcp</div></div><div><br></div>