« previous next »
Pages: [1]   Go Down

Author Topic: Strange DNS lookups when closing browser  (Read 3066 times)

0 Members and 1 Guest are viewing this topic.

JimF

  • Guest
Strange DNS lookups when closing browser
« on: February 28, 2005, 04:16:28 AM »
This is a little hard to explain, so read slowly.  I use a DNS caching program (FastCache by AnalogX) that caches DNS lookups.  It includes a log showing all DNS lookups.  When I close (not open) a web page with avast! 4.6 running, the FastCache icon shows that a DNS lookup has occurred.  Remember, this is when closing a web page (IE6 on WinXP SP2).  This was a little curious, so I looked in the FastCache log.  It appears that some sort of lookups to various addresses are occurring.  For example, a typical entry might be: 95.4.172.207.IN-ADDR.ARPA (I have never seen the IN-ADDR.ARPA in any other log entries).  I have looked up the IP addresses in ARIN, and they don't appear to relate to anything on the web site I was viewing when I closed the browser.  They seem to be IANA or RIPE reserved addresses (and some government ones), maybe DNS servers, but I don't know.

At first, I thought this was a strange interaction between avast! and FastCache, so I tried another DNS caching program, ExtraDNS.  However, I get the same type of entries when closing web pages.  But when I disable the avast! services, the DNS lookups do not occur when I close web pages, and the strange log entries stop occurring.  Any thoughts?
Logged

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11655
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Strange DNS lookups when closing browser
« Reply #1 on: February 28, 2005, 10:06:58 AM »
Makes sense. We're in fact federal agents.........  Naah, just kidding ;D


Anyway, what do you mean by "closing a web page"? Closing the browser window? Which browser are you using (I see, IE6)? Does it make any difference if you use a different one?

Maybe we could try installing such a program on one of our test machines and see if it is reproducible here. :)

Thanks
Vlk
« Last Edit: February 28, 2005, 10:18:23 AM by Vlk »
Logged
If at first you don't succeed, then skydiving's not for you.

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: Strange DNS lookups when closing browser
« Reply #2 on: February 28, 2005, 10:45:24 AM »
Hi,

those are reverse DNS queries (95.4.172.207.IN-ADDR.ARPA), it means that someone is trying to determine what is the host name for 207.172.4.95 - which is popserv.mrf.mail.rcn.net. Well, yes it is possible that webshield does these kind of reverse lookups, it converts ips to hostname in the logfile (for example) and when checking blocked URLs, etc., but I don't know why should they appear when closing the browser.

Lukas
Logged

JimF

  • Guest
Re: Strange DNS lookups when closing browser
« Reply #3 on: February 28, 2005, 12:45:47 PM »
Quote from: Vlk on February 28, 2005, 10:06:58 AM
Makes sense. We're in fact federal agents.........  Naah, just kidding ;D

Anyway, what do you mean by "closing a web page"? Closing the browser window? Which browser are you using (I see, IE6)? Does it make any difference if you use a different one?

Maybe we could try installing such a program on one of our test machines and see if it is reproducible here. :)

Thanks
Vlk
Yes, closing the browser window.  I briefly wondered who would want to know what web page I was looking at when closing the browser, and decided no one in the world, so that one is out.  But at first I thought it might be random IP addresses generated by some bug.  If necessary, I could try Firefox, but I don't have it installed now.  FastCache is freeware, and the icon is fun to look at anyway.
Logged
Pages: [1]   Go Up
« previous next »