Setup an MIAB box in my network. I use a local DNS server, but via my firewall I log all requests that go out to external DNS servers on ports 53, 853.
My MIAB instance is frequently sending external requests, even the local OS is configured to use the internal DNS server.
It is frequently sending DNS queries to:
1.12.0.4
1.12.0.1
1.12.0.29
1.12.0.71
These are Tencent IP’s in China. Does anyone know what service is doing this and why?
Likewise, lots of DNS requests to this large list. These are non-China IP’s, but none the less, why is it not using the locally configured DNS?
172.64.35.183
172.64.35.183
34.94.44.227
199.180.180.63
138.236.0.9
138.236.0.9
108.162.195.173
108.162.193.100
204.42.254.5
199.249.120.1
172.64.34.107
184.85.248.67
172.64.34.107
184.85.248.67
172.64.34.107
70.39.97.245
162.159.1.248
192.36.148.17
162.159.1.248
172.64.34.107
162.159.1.248
162.159.1.248
163.114.216.17
162.159.8.140
173.201.70.3
192.82.134.30
193.0.9.10
162.159.9.55
162.159.9.55
173.245.58.88
162.159.4.8
162.159.4.8
172.64.33.98
199.249.112.1
69.65.50.223
Here are just some of the name being queried:
A? secondary.gac.edu.
A? ns2.afraid.org.
A? ns1mpz.name.com.
A? ns4lny.name.com.
A? salvador.ns.porkbun.com.
A? ns05.domaincontrol.com.
A? ns3sxz.name.com.
A? maceio.ns.porkbun.com.
A? ns06.domaincontrol.com.
A? fortaleza.ns.porkbun.com.
A? curitiba.ns.porkbun.com.
A? ns2.afraid.org.
A? evergreen.v6.afraid.org.
A? ns2bkr.name.com.
A? mint.ns37.net.
A? fueled.byhamsters.net.
A? house.ofpenguins.net.
A? cruz.ns.cloudflare.com.
A? kevin.ns.cloudflare.com.
A? vera.ns.cloudflare.com.
A? darl.ns.cloudflare.com.
A? evergreen.v6.afraid.org.
A? evergreen.v6.afraid.org.
A? mail-yw1-f169.google.com.
A? b.gns.spamhaus.org.
A? d.gns.spamhaus.org.
A? c.gns.spamhaus.org.
A? a.gns.spamhaus.org.
A? e.gns.spamhaus.org.
A? gmail.com.dbl.spamhaus.org.
A? 169.128.85.209.zen.spamhaus.org.
A? 169.128.85.209.zen.spamhaus.org.
A? digital.costco.com.
A? _domainkey.digital.costco.com.
A? costco._domainkey.digital.costco.com.
A? cjm.adobe.com.
A? a1-217.akam.net.
A? a1-217.akam.net.
A? a1-217.akam.net.
A? cname.cjm.adobe.com.
A? ns-269.awsdns-33.com.
A? ns-269.awsdns-33.com.
A? com.cname.cjm.adobe.com.
A? ns-269.awsdns-33.com.
A? awsdns-56.co.uk.
A? awsdns-56.co.uk.
A? ns-1984.awsdns-56.co.uk.
A? ns-1984.awsdns-56.co.uk.
A? ns-1984.awsdns-56.co.uk.
A? a9-66.akam.net.
A? a1-116.akam.net.
A? a6-64.akam.net.
A? a5-64.akam.net.
A? a14-67.akam.net.
A? a28-66.akam.net.
Are you sure they’re requests, not replies?
Not sure about the list of ip addresses, but the names do not directly strike me as odd. Do you host on AWS?
I’m sure they’re requests.
Just hosted on a VM in-house. Just a small personal project, but it’s odd to me to see this DNS traffic. It’s fine if it wants to know those domain names, but why doesn’t it send the request to the DNS server configured on the operating system?
Well, the dns server on your computer itself also sends dns requests to the outside world. It does not have complete knowledge of the internet! It uses other dns servers to build that knowledge. That’s simply the way dns works.
Can you comfirm the dns requests originate from other applications than your local dns server?
I’m pretty confident with how DNS works.
My dns servers reside on different machines than the one with MiaB.
I’ll just intercept them at the router and redirect internally. Just wondered if there was some purpose it was built apparently to use DNS servers other than the OS setup.
This is the OS setup, so it should be using these:
root@miab:~# cat /etc/resolv.conf
nameserver 127.0.0.1
root@miab:~# resolvectl
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: foreign
Current DNS Server: 127.0.0.1
DNS Servers: 127.0.0.1
Link 160 (eth0)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
DNS Servers: 10.0.3.1 10.0.3.9
DNS Domain: <my_search_domain>
This is because Mail in a Box installs and then uses Bind as a recursive DNS server, so if you want to change this behaviour I’d say you need to reconfigure Bind to act as a forwarding server. However, it is possible that your changes will be overwritten when you upgrade Mail in a Box.
Or just put the not localhost nameserver(s) into /etc/resolv.conf, which will be overwritten when MIAB is updated, this Q&D shell script ran from cron etc should solve that
#!/bin/sh
if cmp -s /etc/resolv.conf.ext.dns /etc/resolv.conf ; then
:
else
cp -p /etc/resolv.conf.ext.dns /etc/resolv.conf
fi
Edit: changed “correct nameservers” to “not localhost nameserver(s)”.
See previous post. It is correct.
Well, yes and no. Obviously the one in /etc/resolv.conf takes precedence over the ones configured on the interface, so it’s probably best to go with @ge8Hooe’s solution.
You could also try chattr -i the file to prevent it from being changed, but I am not sure if this would cause problems with the mailinabox.sh script.
Or, and this would normally be the recommended way, you could simply uninstall or disable bind, which wouldn’t be there in the first place without Mail in a Box, and then change the DNS servers in systemd-resolved, Netplan, NetworkManager or whatever usually manages DNS on a regular Ubuntu system.
However, since Mail in a Box is an appliance that basically takes over many parts of your system, and would simply revert those changes and reinstall bind during an upgrade, the “hacky”, otherwise not recommended way of just directly modifying resolv.conf by running a script via cron is probably the best solution for this particular case.