Why so many DNS packets?

Foxconn / Have not checked
January 8, 2009 at 15:11:25
Specs: Debian w/ Linux 2.6.18, Celeron 2.3 GHz / 640MB RAM
Hi. I am detecting many DNS packets leaving my system. I am not sure if it is semantically the same message being sent over and over again, but each message has different bytes and the same length (43 bytes on the UDP payload). The traffic is about 2.3 KB/s, but started out at first as under 1 KB/s.

They are being sent to my ISP's nameserver, largely from my computer, but also a bit from theirs, and 100% always using UDP, not TCP.

About 20 packets per second are being sent. These long streams of packets usually start out with one 300-byte packet coming from the nameserver.

I just got my internet connected recently. Due to various reasons, I often have my internet service stopped every three or four months. But this is the first time that I have detected so many DNS packets.

A thing I should mention is that, to try and remedy this problem, I ran my own DNS server that refered my IP address to my hostname, and added my host to the list of nameservers my DHCP client uses, under the hypothesis that my DHCP client wanted to know what my hostname was but my ISP's nameservers wouldn't tell it; indeed, my computer isn't associated with any hostnames, and we usually get one like X3243243.wa.isp.com. Interestingly, this actually worked. The only thing is, after 2 days of having it like this, the situation has come back again, and even more DNS packets are being sent; these packets are the same as what were being sent before.

Any help would be appreciated. Thanks.

See More: Why so many DNS packets?

Report •

January 8, 2009 at 15:49:10
in your tcp/ip properties is the dns server listed that of your isp or is it just the gateway that is listed for dns?

Might want to review this

"UDP is a simple connectionless protocol that provides no real features but is very fast. It is ideally suited for small, quick exchanges of information, and can be faster than TCP because there is no need to establish a connection. This makes it a good choice for most of the conventional queries used in DNS, because they are normally very short, and fast data exchange is important. For this reason, the DNS standards recommend use of UDP for queries and replies "

Report •

January 8, 2009 at 22:14:40
I'm pretty sure the "nameserver" is actually the nameserver, not the gateway. It's hostname starts with "ns" and sends pretty "relevant looking" responses from 53.

But anyway, for some reason, it looks like DNS traffic is lower than it was, using the same program I was using before, so that this is a consistent result. Note that it is lower now that I installed a firewall.

But is the result that I have less DNS packets valid? To check this, I ran two instances of the program concurrently - and they should different results (though very similar)! So the program is not catching all the packets, probably. I would probably have to rewrite the thing to fix this, as obviously some packets are going to be missed if you're still processing the last packet. Maybe I can make it go through my firewall directly, or queue the packets and then process them (duh). Well, thanks for the replies.

Report •

January 8, 2009 at 22:26:54
Another note; I tried downloading a large file, and my program told me it was exactly the same size as it said when I typed "ls -l", at least on the order of kilobytes. So it probably is getting most of the packets, or missing a very insignificant amount. The main worry is not how much DNS I'm sending/receiving, but what is in those packets. Is it a worm? Is it confidential information? What good is my firewall if it doesn't even block ARP packets? (Not that I'd want to block ARP packets, but, I mean, I never even told it to accept them.)

I probably should tell tech support at my ISP just in case. But in the years I've been using these guys' service, I never got an IP address with such first numbers (i.e. in /8, which is what I usually memorize). So, maybe it's just that the network is new, and they're still setting up. Maybe.

By the way, I meant in my last post: "...its hostname..." (not "it's") and "...they showed different results..." (not "they should"). I try not to do mistakes like that.

Thanks again.

Report •

Related Solutions

January 8, 2009 at 22:30:27
To be more specific (sorry), I'm running a packet sniffer I made to measure traffic on my computer. That's what I meant by "the program I'm running". The program itself has nothing to do with the sending and receiving of DNS packets, please don't mistaken what I said for that. I'll try to be more specific.

Anyway, I should make the program fork and use one process to write the results and traffic, and another to receive it.

Report •

January 9, 2009 at 04:26:24
Well, you're never going to believe this!

So why was my packet sniffer picking up so many DNS packets???

Because every time it picked up a packet, it looked up the hostname for the destination and source IP addresses! So every time I get a DNS packet, it queried the DNS server again.

So if this is happening to you, that might be it. Amazing that this has consumed so much of my time, and this is what happens. It explains everything. They stopped coming when I installed my nameserver because now all the queries are on the localhost.

Or is that it? Doesn't the computer cache the hostnames? (It would be more efficient.)

Report •

Ask Question