Server sending something to DNS?

[cburwell]

I have a web server (Debian 3.1) that is running LAMP + SSH. Starting yesterday some time I noticed that the link lights on the switch my server is connected to was going crazy, and the hard drive on my server seemed to have more activity then usual.

I looked at the active sessions on my router and I found the following:

INTERNAL Protocol EXTERNAL NAT Priority State DIR Timeout
192.168.0.113:52808 UDP 68.87.64.146:53 52808 130 - Out 300
192.168.0.113:52807 UDP 68.87.75.194:53 52807 130 - Out 300

It seems that my server is sending something (constantly) to my ISP;s DNS servers. Does anyone have any idea what this could be?

I reset the server, and a few hours later I looked at the listing of "ifconfig", and my main network card had already transferred 100+MB of data! This is unusual for my server since it sees little to no traffic.

I figured I would post this here since it is network related, but feel free to move it if you feel it will get more hits elsewhere.

 

[Fint]

Looks like DNS queries, which would be normal if your web server is set to do reverse lookups for logging of web traffic.

I'd check your web server's logs to see what sort of activity it is seeing, and maybe a packet sniff of its traffic to make sure someone didn't "hax0r" it.

 

[PanzerBoxb]

Fint is very likely correct. If the IP addresses involved are the ones you are set up to use then it is probably your Apache server trying to perform reverse resolution on any systems visiting your web site. You can turn this feature off if it concerns you.

 

[Xipher]

if you run "tcpdump -n port 53" as root on that server, it should tell you what kind of queries it's making.
Here is some example output

15:26:10.327094 IP 134.161.x.x.32824 > 134.161.x.x.53:  23597+ A? xxxxx.org. (30)
15:26:10.449850 IP 134.161.x.x.53 > 134.161.x.x.32824:  23597 1/2/0 A x.x.x.x (97)
....
15:26:23.676164 IP 134.161.x.x.32824 > 134.161.x.x.53:  39642+ PTR? x.x.x.x.in-addr.arpa. (43)
15:26:23.679220 IP 134.161.x.x.53 > 134.161.x.x.32824:  39642 1/2/0 (128)

the A? line is my computer looking for the address of a site, the PTR? line is requesting the reverse lookup for the address x.x.x.x

 

[cburwell]

I installed tcpdump, and there seems to be a bunch of packets/request originating from high-numbered ports on the server (ex 192.168.0.113:59031).

Any ideas?

 

[WarMace]

Are you in the Northeast? Seems today comcast made the news for DNS issues, just a random chance that was it.

http://www.bostonist.com/archives/2006/09/26/its_not_firefox_its_comcastic_.php

 

[cburwell]

I figured out that my problem was with a misconfigured instance of exim4. Since my router/firewall uses NAT it seem that all incomming traffic appears to be comming from a local (192.168) source, when in fact it is not. Even though I thought I had exim4 configured properly, my router was working against me!

So I brought the mail server down for now (I had to use killall exim4). Everything is quiet now! If anyone has any links to pages that will give me tips on configuring exim4behind a firewall, I would appreciate it.