My standalone, winxp-pro, cable-modem connected system does IP-lookups for no apparant reason.
A couple times a minute, my box will ask my provider’s DNS server for a lookup on an IP address using an ephemeral UDP source port and always within a second there is a reply from the DNS server consisting of the appropriate domain-name-pointer (PTR) record, using the same UDP port, then there will be no DNS packets at all for half a minute (or so) — then the next exchange will occur using an incremented UDP port.
Most of the looked-up IP addresses are within my provider’s zone, but not all. This happens continuously even when I have no software running that needs to run DNS queries. I have netbios over TCP disabled, and the “netbios over TCP” helper service is also disabled. The only protocol bound to my system’s single interface is TCP/IP — everything else is disabled as part of a general policy of reducing potential attack surfaces. My cable-modem blocks almost everything but I see what looks like every single ARP query my provider receives (around 70 per second). I don’t think winxp is simply looking up every IP it sees in order to maintain MAC-to-IP mappings because I looked in my arp cache and there’s only a couple entries.
Is this ‘funny’ DNS behaviour related to all of these ARP queries somehow? What else could account for it? Has anyone experienced anything similar?
Make sure your system is clean from malware.
Please follow the instructions on THIS SITE