My standalone, winxp-pro, cable-modem connected system does IP-lookups for no apparant reason.
A couple times a minute, my box will ask my provider's DNS server for a lookup on an IP address using an ephemeral UDP source port and always within a second there is a reply from the DNS server consisting of the appropriate domain-name-pointer (PTR) record, using the same UDP port, then there will be no DNS packets at all for half a minute (or so) --- then the next exchange will occur using an incremented UDP port.
Most of the looked-up IP addresses are within my provider's zone, but not all. This happens continuously even when I have no software running that needs to run DNS queries. I have netbios over TCP disabled, and the "netbios over TCP" helper service is also disabled. The only protocol bound to my system's single interface is TCP/IP --- everything else is disabled as part of a general policy of reducing potential attack surfaces. My cable-modem blocks almost everything but I see what looks like every single ARP query my provider receives (around 70 per second). I don't think winxp is simply looking up every IP it sees in order to maintain MAC-to-IP mappings because I looked in my arp cache and there's only a couple entries.
Is this 'funny' DNS behaviour related to all of these ARP queries somehow? What else could account for it? Has anyone experienced anything similar?
