OPNsense Forum
English Forums => General Discussion => Topic started by: dwasifar on October 22, 2018, 04:13:56 am
-
Casually watching the firewall log widget, I noticed it suddenly filled with a blast of DNS queries to 75.75.75.75 (Comcast DNS). I clicked through to the actual log and found something like 80 queries, all coming from different ports, all timestamped within the same two seconds. Reviewing the logs further revealed other such blasts.
I don't use OPNsense's DNS server right now; everything goes through dnsmasq on another machine. Because there is no NAT involved here, the log showed the WAN interface's IP under "Source", which was no help tracking it down. But I was pretty sure it wasn't coming from the dnsmasq box, because that one usually queries all three of its configured upstream DNS servers at the same time, whereas these blasts were solely to 75.75.75.75.
As a diagnostic, I removed 75.75.75.75 from the dnsmasq server list on the other machine, and from OPNsense in Settings>General, and waited to see if another blast occurred. It did, so I figured they must be coming from another machine somewhere on my local subnet. The likely candidate was a machine I had recently installed namebench on to fine tune DNS settings. I reset that machine and I have not seen another blast to 75.75.75.75 since.
I'm still confused what namebench was doing that caused that machine to send out random blasts of queries to only one of the eight DNS servers I had been evaluating the previous day. But the question for this group: Is there a better way I could have tracked that traffic back to the machine that initiated it, rather than by tedious process of elimination?