[Netalyzr] Chinese DNS servers in my results?

Shaun Moran shaun at moransdomain.com
Wed Jul 11 17:47:07 PDT 2012


Hi - noticed something strange and concerning about my results from
netalyzr - two extra DNS servers which are based in china (203.15.156.237
and 203.15.156.238)

My Netalyzr results are at:
http://n3.netalyzr.icsi.berkeley.edu/restore/id=ae81b058-5090-364c463d-cf08-4363-9e95/rd

The Windows 7 PC is configured for get DNS servers from DHCP server - the
DHCP scope only has the three local DNS servers (192.168.200.x).
IPconfig/all only shows the three servers at 192.168.200.x and checking the
adapter settings confirms they are set for DHCP. No additional DNS server
entries are in the local hosts file and doing a full virus/rootkit scan
found no malware.

When I do a Wireshark capture of DNS packets the only DNS requests I see
for these two DNS servers are for DNS A queries for
server.u413.n3.netalyzr.icsi.berkeley.edu. The Netalyzer client traffic
shows it finding these extra DNS servers. Just browsing normal websites
(eg: ford.com, apple.com, etc) shows no DNS requests to these chinese
servers. It only happens (briefly) when running Netalyzr...

I'm at a loss as to where these are coming from. It sounds like a PC
infection but I cant find any evidence on this. Running Netalyzer at other
machines at this location do not show the extra 2 chinese DNS servers -
just this one machine.

Any ideas/suggestions? Have got a Wireshark capture of all DNS traffic if
needed.

Thanks - Shaun



177.353    main| dnsDirectIcsi=True
177.353    main| dnsDirectIpv6=True
177.353    main| dnsDirectNxdomain=
177.353    main| dnsDirectRecursiveOnly=False
177.353    main| dnsDirectText=True
177.353    main| dnsLargePackets=True
177.353    main| dnsMediumPackets=True
177.353    main| dnsPracticalMTU=4000
177.353    main| dnsRawTCPStatus=reply
177.353    main| dnsResolver1IP=203.15.156.237
177.353    main| dnsResolver1Live=False
177.353    main| dnsResolver2IP=203.15.156.238
177.353    main| dnsResolver2Live=False
177.353    main| dnsResolver3Authors=
177.353    main| dnsResolver3Copyright=
177.353    main| dnsResolver3DNSSECValidation=False
177.353    main| dnsResolver3Edns=True
177.353    main| dnsResolver3Facebook=69.171.234.21
177.353    main| dnsResolver3Hostname=
177.353    main| dnsResolver3IP=192.168.200.11
177.353    main| dnsResolver3Icsi=True
177.353    main| dnsResolver3Ipv6=True
177.353    main| dnsResolver3Live=True
177.353    main| dnsResolver3Nxdomain=
177.353    main| dnsResolver3RootFacebook=
177.353    main| dnsResolver3Text=True
177.353    main| dnsResolver3TextLarge=False
177.353    main| dnsResolver3TextLargeEDNS=True
177.353    main| dnsResolver3TextMedium=False
177.353    main| dnsResolver3Version=Microsoft+DNS+6.1.7600+%281DB04228%29
177.353    main| dnsResolver4Authors=
177.353    main| dnsResolver4Copyright=
177.353    main| dnsResolver4DNSSECValidation=False
177.353    main| dnsResolver4Edns=True
177.353    main| dnsResolver4Facebook=69.171.234.21
177.353    main| dnsResolver4Hostname=
177.353    main| dnsResolver4IP=192.168.200.12
177.353    main| dnsResolver4Icsi=True
177.353    main| dnsResolver4Ipv6=True
177.353    main| dnsResolver4Live=True
177.353    main| dnsResolver4Nxdomain=
177.353    main| dnsResolver4RootFacebook=
177.353    main| dnsResolver4Text=True
177.353    main| dnsResolver4TextLarge=False
177.353    main| dnsResolver4TextLargeEDNS=True
177.353    main| dnsResolver4TextMedium=False
177.353    main| dnsResolver4Version=Microsoft+DNS+6.1.7600+%281DB04228%29
177.353    main| dnsResolver5Authors=
177.353    main| dnsResolver5Copyright=
177.353    main| dnsResolver5DNSSECValidation=False
177.353    main| dnsResolver5Edns=True
177.353    main| dnsResolver5Facebook=69.171.234.21
177.353    main| dnsResolver5Hostname=
177.353    main| dnsResolver5IP=192.168.200.20
177.353    main| dnsResolver5Icsi=True
177.353    main| dnsResolver5Ipv6=True
177.353    main| dnsResolver5Live=True
177.353    main| dnsResolver5Nxdomain=
177.353    main| dnsResolver5RootFacebook=
177.353    main| dnsResolver5Text=True
177.353    main| dnsResolver5TextLarge=False
177.353    main| dnsResolver5TextLargeEDNS=True
177.353    main| dnsResolver5TextMedium=False
177.353    main| dnsResolver5Version=Microsoft+DNS+6.1.7600+%281DB04228%29
177.353    main| dnsRootAFacebook=
177.353    main| dnsRootAHostname=ans18-lax2
177.353    main| dnsRootAIP=198.41.0.4
177.353    main| dnsRootALive=True
177.353    main| dnsRootANxdomain=
177.353    main| dnsRootBFacebook=
177.353    main| dnsRootBHostname=b4
177.353    main| dnsRootBIP=192.228.79.201
177.353    main| dnsRootBLive=True
177.353    main| dnsRootBNxdomain=
177.353    main| dnsRootCFacebook=
177.353    main| dnsRootCHostname=lax1b.c.root-servers.org
177.353    main| dnsRootCIP=192.33.4.12
177.353    main| dnsRootCLive=True
177.353    main| dnsRootCNxdomain=
177.353    main| dnsRootDFacebook=
177.353    main| dnsRootDHostname=css-d.net.umd.edu
177.353    main| dnsRootDIP=128.8.10.90
177.353    main| dnsRootDLive=True
177.353    main| dnsRootDNxdomain=
177.353    main| dnsRootEFacebook=
177.353    main| dnsRootEHostname=e-01.syd.pch.net
177.353    main| dnsRootEIP=192.203.230.10
177.353    main| dnsRootELive=True
177.353    main| dnsRootENxdomain=
177.353    main| dnsRootFFacebook=
177.353    main| dnsRootFHostname=bne1b.f.root-servers.org
177.353    main| dnsRootFIP=192.5.5.241
177.353    main| dnsRootFLive=True
177.353    main| dnsRootFNxdomain=
177.353    main| dnsRootGFacebook=
177.353    main| dnsRootGHostname=g.root-servers-pac2-1.net
177.353    main| dnsRootGIP=192.112.36.4
177.353    main| dnsRootGLive=True
177.353    main| dnsRootGNxdomain=
177.353    main| dnsRootHFacebook=
177.353    main| dnsRootHHostname=H3
177.353    main| dnsRootHIP=128.63.2.53
177.353    main| dnsRootHLive=True
177.353    main| dnsRootHNxdomain=
177.353    main| dnsRootIFacebook=
177.353    main| dnsRootIHostname=s1.prt
177.353    main| dnsRootIIP=192.36.148.17
177.353    main| dnsRootILive=True
177.353    main| dnsRootINxdomain=
177.353    main| dnsRootJFacebook=
177.353    main| dnsRootJHostname=jluepe1-elsyd1
177.353    main| dnsRootJIP=192.58.128.30
177.353    main| dnsRootJLive=True
177.353    main| dnsRootJNxdomain=
177.353    main| dnsRootKFacebook=
177.353    main| dnsRootKHostname=k2.tokyo.k.ripe.net
177.353    main| dnsRootKIP=193.0.14.129
177.353    main| dnsRootKLive=True
177.353    main| dnsRootKNxdomain=
177.353    main| dnsRootLFacebook=
177.353    main| dnsRootLHostname=bne01.l.root-servers.org
177.353    main| dnsRootLIP=199.7.83.42
177.353    main| dnsRootLLive=True
177.353    main| dnsRootLNxdomain=
177.353    main| dnsRootMFacebook=
177.353    main| dnsRootMHostname=M-NRT-JPIX-1
177.353    main| dnsRootMIP=202.12.27.33
177.353    main| dnsRootMLive=True
177.353    main| dnsRootMNxdomain=
177.353    main| dnsServerV6Support=True
177.353    main| dnsSmallPackets=True
177.353    main| dnsTCPStatus=tcp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/netalyzr/attachments/20120712/7eb8ea3a/attachment.html 


More information about the Netalyzr mailing list