Steam servers attempting to contact my DNS servers

[Mister Natural]

I'm kind of curious about something I've noticed for a while now. A couple months back I visited the steam website at work via web browser and even logged into my account. I have not installed the steam client, simply visited the web site a few times.

After doing that I've noticed in my SPI firewall I routinely see Steam servers attempting to connect to my 2 DNS servers. Happens a few times in a 24 hour period. I don't see why Steam servers need to be communicating with my DNS servers so I've put a block on it for now. It's definitely incoming and not outgoing activity.

Since originally visiting the Steam site I've replaced my work pc so there's nothing on my pc which could be attempting communication with Steam. Since I put the block on I can't even visit the Steam site which is fine by me since I'm at work anyway.

Just curious as to why this continues to occur. Suspicious activity?

 

[tangoseal]

Steam might be trying to get DNS records from your DNS servers to find out who you are. If a computer doesnt know the hostname of something it will try and find out. Call steam and ask them why they would do this.

Also DNS is designed so that all servers globally communicate records etc...... when you go to Godaddy or whatever and change an A record, guess what? That gets reflected globally within a few hours.

 

[XOR != OR]

what ports are you seeing the activity on?

 

[Mister Natural]

Port 53. I figured it had something to do with updating dns records but I don't see why Steam needs my dns server records. My dns servers are behind our firewall and are not public servers on the internet.

 

[Mackintire]

So block port 53 inbound. Problem Solved

 

[Mister Natural]

It's already blocked and I wouldn't call it a problem. More of a curiousity.

 

[-Dragon-]

Call steam and ask them why they would do this.

That part made me giggle, coming from a network service desk I know the only thing more frustrating than customers that think they know something is trying to get ahold of ANY other companies network/IT department to work out some problem that they're causing us (unless we've got some sort of contract from them like a line rental, but even then it's torture, god forbid the problem be on an AT&T line).

 

[XOR != OR]

It's already blocked and I wouldn't call it a problem. More of a curiousity.

Ya, that's weird. I've been sitting here, and I can't figure out why they might be doing that. Really, when you think about it, there are only two reasons to connect to a DNS server:

1) You're a client
2) The server in question is hosting a domain

Neither of which apply here. Odd

 

[extide]

If you host a dns server then it is probably just a dns server of theirs trying to get records from yours. I wouldn't worry about it at all.

How do you know it's a steam server anyways? ip reverse dns?

 

[Mister Natural]

I think it is simply a dns record update request. I setup open dns for my forwarders and seeing the same thing now from their servers. So I've gone ahead and unblocked it for now.

The reason I know the original requests were from steam was because I did a whois search on the offending IP's.

No biggie I guess but still suspicious about Steam activity.

 

[XTF]

Might it be doing reverse DNS lookups?

 

[XOR != OR]

I think it is simply a dns record update request. I setup open dns for my forwarders and seeing the same thing now from their servers. So I've gone ahead and unblocked it for now.

The reason I know the original requests were from steam was because I did a whois search on the offending IP's.

No biggie I guess but still suspicious about Steam activity.

Unless you are hosting a domain on your DNS servers, there is no reason I know of that anyone beyond the clients would be making requests to your dns server.

Weird behavior. XTF: Reverse requests will be handled by whatever ISP is hosting the reverse records for those IP blocks.

 

[Tark]

Could it be a part of their trusted computer process?

 

[squishy]

Weird behavior. XTF: Reverse requests will be handled by whatever ISP is hosting the reverse records for those IP blocks.

Unless it's delegated by the ISP to a machine you control.

That's actually the only reason I can think of. The OP just comes in as an IP address. The only logical reason would be is if they're looking for a PTR record for your IP and your ISP has that block delegated to your DNS servers.

I doubt that you have it setup like that, so that is kind of odd. You should look at what the actual request is, it will give you a better idea of what they're after instead of just guessing.

 

[squishy]

Since I put the block on I can't even visit the Steam site which is fine by me since I'm at work anyway.

p.s.

Are you absolutely sure it's incoming traffic?

When you say "can't visit the site" do you mean can't resolve the hostname or you can't actually connect to port 80 on their web server?