0

Summary:

I see dozens of requests to non-existing domains and I suspect it slows down my network. Can't find the source.

Full description:

I use pihole as a DNS server, and both Wireshark and Little Snitch to analyze the outgoing requests.

My motivation to do that is that my computer's connection is very slow in comparison to other devices on the same network.

On pihole logs I identified numerous (several per minute) requests to non-existing domains such as cwtwzxm.home, oqcuhponmpihyp.home, uceqeycvfo.home etc. The pattern is quite clear...

I suspect these requests to be one of the reasons why my network is so slow, so I try to understand which application is sending these DNS requests and why.

Someone suggested these would come from Chromium browser that polls for captive portals, but I overruled this assumption after killing all embedded Chromium processes (present in Adobe CC and Dropbox).

Little Snitch couldn't find any request, which is strange since it means these requests are not coming from any running application (I know - it's not logical).

Wireshark, on the other hand, did find the DNS requests but I don't know how to decrypt it.

  1. How to interpret Wireshark's output?
  2. How can I find the application/software/program which initiates these requests?

Sample pihole.log:

Oct 12 15:06:01 dnsmasq[11469]: forwarded dbetguay.home to 127.0.0.1
Oct 12 15:06:01 dnsmasq[11469]: reply rsnjznzzo.home is NXDOMAIN
Oct 12 15:06:01 dnsmasq[11469]: reply dbetguay.home is NXDOMAIN
--
Oct 12 15:06:03 dnsmasq[11469]: query[A] rsnjznzzo.home from 192.168.1.10
Oct 12 15:06:03 dnsmasq[11469]: cached rsnjznzzo.home is NXDOMAIN
Oct 12 15:06:03 dnsmasq[11469]: reply uceqeycvfo.home is NXDOMAIN
Oct 12 15:06:03 dnsmasq[11469]: query[A] dbetguay.home from 192.168.1.10
Oct 12 15:06:03 dnsmasq[11469]: cached dbetguay.home is NXDOMAIN
Oct 12 15:06:04 dnsmasq[11469]: query[A] uceqeycvfo.home from 192.168.1.10
Oct 12 15:06:04 dnsmasq[11469]: cached uceqeycvfo.home is NXDOMAIN
Oct 12 15:06:04 dnsmasq[11469]: query[A] rsnjznzzo.home from 192.168.1.10
Oct 12 15:06:04 dnsmasq[11469]: cached rsnjznzzo.home is NXDOMAIN
Oct 12 15:06:04 dnsmasq[11469]: query[A] dbetguay.home from 192.168.1.10
Oct 12 15:06:04 dnsmasq[11469]: cached dbetguay.home is NXDOMAIN
Oct 12 15:06:06 dnsmasq[11469]: query[A] uceqeycvfo.home from 192.168.1.10
Oct 12 15:06:06 dnsmasq[11469]: cached uceqeycvfo.home is NXDOMAIN
Oct 12 15:06:06 dnsmasq[11469]: query[A] rsnjznzzo.home from 192.168.1.10
Oct 12 15:06:06 dnsmasq[11469]: cached rsnjznzzo.home is NXDOMAIN
Oct 12 15:06:06 dnsmasq[11469]: query[A] dbetguay.home from 192.168.1.10
Oct 12 15:06:06 dnsmasq[11469]: cached dbetguay.home is NXDOMAIN
Oct 12 15:06:08 dnsmasq[11469]: query[A] dbetguay.home from 192.168.1.10
Oct 12 15:06:08 dnsmasq[11469]: cached dbetguay.home is NXDOMAIN
Oct 12 15:06:09 dnsmasq[11469]: query[A] dbetguay.home from 192.168.1.10
Oct 12 15:06:09 dnsmasq[11469]: cached dbetguay.home is NXDOMAIN
Oct 12 15:06:11 dnsmasq[11469]: query[A] uceqeycvfo.home from 192.168.1.10
Oct 12 15:06:11 dnsmasq[11469]: cached uceqeycvfo.home is NXDOMAIN
Oct 12 15:06:11 dnsmasq[11469]: query[A] rsnjznzzo.home from 192.168.1.10
Oct 12 15:06:11 dnsmasq[11469]: cached rsnjznzzo.home is NXDOMAIN
Oct 12 15:06:11 dnsmasq[11469]: query[A] dbetguay.home from 192.168.1.10
Oct 12 15:06:11 dnsmasq[11469]: cached dbetguay.home is NXDOMAIN
zstolar
  • 131
  • 2

1 Answers1

1

The NXDOMAIN response means that the addressed domain was not found in the DNS system. This is not surprising, seeing that these domain names are random nonsense.

The requests seem to originate from the device with the IP address of 192.168.1.10. It is up to you to locate this device by its IP address. The router should be able to report which is the attached device that has this address.

Persistent NXDOMAIN responses from your local DNS service that originate all from a single client could be an indicator for infection. PTR queries can reverse engineer networks and mine for interesting hostnames.

My guess would be that the above device is infected by a particularly clumsy virus, trying to phone home to its controlling website, or trying to gather information about your local network.

For dealing with a possible infection, see the post
How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • 1
    Classic symptom of a botnet trying to reach its command and control servers. Disconnect that computer from the LAN. Copy your important data to a USB stick or external harddrive and re-install from scratch. (Not from Time-machine. That's probably infected too, delete the TimeMachine backup). And scan that backup USB stick/disk with another computer before you put the data back to the re-installed computer. – Tonny Oct 12 '20 at 15:44
  • Thanks guys. As I wrote - the pc with the mentioned IP is my pc, so it is well identified, and I know that NXDOMAIN is what pihole returns for Non-Existent-Domains. What I am really after is locating not the pc (MacOS in fact) but the *application* that sends these requests. – zstolar Oct 12 '20 at 18:33
  • I obviously prefer to identify the app and kill it, rather than reinstalling my OS. – zstolar Oct 12 '20 at 18:34
  • The post I linked has much more information, but a virus is never one single application. Being in multiple places in the computer allows it to come back if partially deleted. If you don't want to reinstall everything, then all you can do is run multiple well-known antivirus products to deep-scan your computer. Most of the major ones have free "house call" products (just beware of fakes), as listed in the above link. This path is more risky and will only work if the virus is well-known by at least one antivirus product. – harrymc Oct 12 '20 at 18:44
  • Thank you @harrymc . As I don't have anything I can't lose on my laptop, having backed up all of my documents, I agree resetting is the most straightforward way. However, I prefer knowing what is sending these requests. Do you know of a way to identify in a mac which process is sending outgoing requests? – zstolar Oct 12 '20 at 18:59
  • On Windows I know sniffers that include the executable info, but not on the Mac. They must exist, however. If the antivirus product will find anything, usually it will list the quarantined files and this might help. – harrymc Oct 12 '20 at 19:06
  • OK, I found "Radio Silence" network monitor, and I crossed its findings with my local DNS server. I found it is a Chrome Helper which is initiating these requests. I disabled all the extensions and Chrome still sends these. I will reinstall Chrome and see what happens. – zstolar Oct 12 '20 at 19:55
  • Scrub out all Chrome folders for leftovers after uninstall. – harrymc Oct 12 '20 at 20:25
  • Sent a report to Google... I do believe it's either an extension that is installed elsewhere or some app that rides over Chrome. Either way it's only on a single laptop so it's probably not a general thing. Sent a report to Google anyway. – zstolar Oct 12 '20 at 20:48
  • As I said, this is a clumsy virus, being so easily detected, perhaps crafted using one of the virus kits floating around. You may be lucky enough for it to be localized to Chrome and so possible to totally eradicate. Even if Chrome re-installation solves the problem, I would still recommend doing some deep antivirus scans with more than one such product, just in case. – harrymc Oct 13 '20 at 06:28
  • If my answer was helpful, please consider marking it as accepted. – harrymc Oct 13 '20 at 06:30