very odd DNS behavior with XP

very odd DNS behavior with XP
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
very odd DNS behavior with XP George Csahanin 09-16-2007
Posted by George Csahanin on September 16, 2007, 2:22 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi all. I've asked this before and had only two responses, and those were
not able to fix this problem.

My dad's two laptops do this. Here is an ecerpt from the nameserver he is
accessing:

messages:Sep 16 04:58:05 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.microsoft.com/MX/IN
messages:Sep 16 04:58:05 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.yahoo.com/MX/IN
messages:Sep 16 04:58:05 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.intel.com/MX/IN
messages:Sep 16 04:58:06 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.intel.com/MX/IN
messages:Sep 16 04:58:06 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.google.com/MX/IN
messages:Sep 16 04:58:15 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.microsoft.com/MX/IN
messages:Sep 16 04:58:15 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.yahoo.com/MX/IN
messages:Sep 16 04:58:15 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.intel.com/MX/IN
messages:Sep 16 04:58:15 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.google.com/MX/IN
messages:Sep 16 04:58:25 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.microsoft.com/MX/IN
messages:Sep 16 04:58:25 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.yahoo.com/MX/IN
messages:Sep 16 04:58:25 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.intel.com/MX/IN
messages:Sep 16 04:58:25 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.google.com/MX/IN

This goes on continuously. Every ten seconds it looks up MX record for those
four domains.

You never can catch it in netstat. Stop all sorts of services, it doesn't
stop.

I have no more hair to pull out.

192.168.0.4 is his laptop.

Anyone ever hear of this? Most would never see it because they're accessing
an ISP's name server. But here I control that. Its filling the log file, and
I'm afraid that it is part of a keystroke monitoring deal, though it would
appear that whatever it is, it is not getting the answer it wants.

I'm NOT a Windows expert, I know more on the Unix side, but open to
suggestions. This was a fresh install. He's doing SOMETHING that allows
this. It didn't take him long. He does play online games thru Pogo.

GeorgeC
Austin, TX

reply by email to nic at dyb dot com

Thanks!



Posted by Luke on October 4, 2007, 12:41 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I did have this problem, but i took it to PC World and they fixed it for
£40. and by the way saying 192.168.0.4 is your dads laptob isnt very safe...
be careful.


> Hi all. I've asked this before and had only two responses, and those were
> not able to fix this problem.
>
> My dad's two laptops do this. Here is an ecerpt from the nameserver he is
> accessing:
>
> messages:Sep 16 04:58:05 netxpress_HD1 named[692]:
> XX+/192.168.0.4/www.microsoft.com/MX/IN
> messages:Sep 16 04:58:05 netxpress_HD1 named[692]:
> XX+/192.168.0.4/www.yahoo.com/MX/IN
> messages:Sep 16 04:58:05 netxpress_HD1 named[692]:
> XX+/192.168.0.4/www.intel.com/MX/IN
> messages:Sep 16 04:58:06 netxpress_HD1 named[692]:
> XX+/192.168.0.4/www.intel.com/MX/IN
> messages:Sep 16 04:58:06 netxpress_HD1 named[692]:
> XX+/192.168.0.4/www.google.com/MX/IN
> messages:Sep 16 04:58:15 netxpress_HD1 named[692]:
> XX+/192.168.0.4/www.microsoft.com/MX/IN
> messages:Sep 16 04:58:15 netxpress_HD1 named[692]:
> XX+/192.168.0.4/www.yahoo.com/MX/IN
> messages:Sep 16 04:58:15 netxpress_HD1 named[692]:
> XX+/192.168.0.4/www.intel.com/MX/IN
> messages:Sep 16 04:58:15 netxpress_HD1 named[692]:
> XX+/192.168.0.4/www.google.com/MX/IN
> messages:Sep 16 04:58:25 netxpress_HD1 named[692]:
> XX+/192.168.0.4/www.microsoft.com/MX/IN
> messages:Sep 16 04:58:25 netxpress_HD1 named[692]:
> XX+/192.168.0.4/www.yahoo.com/MX/IN
> messages:Sep 16 04:58:25 netxpress_HD1 named[692]:
> XX+/192.168.0.4/www.intel.com/MX/IN
> messages:Sep 16 04:58:25 netxpress_HD1 named[692]:
> XX+/192.168.0.4/www.google.com/MX/IN
>
> This goes on continuously. Every ten seconds it looks up MX record for
> those four domains.
>
> You never can catch it in netstat. Stop all sorts of services, it doesn't
> stop.
>
> I have no more hair to pull out.
>
> 192.168.0.4 is his laptop.
>
> Anyone ever hear of this? Most would never see it because they're
> accessing an ISP's name server. But here I control that. Its filling the
> log file, and I'm afraid that it is part of a keystroke monitoring deal,
> though it would appear that whatever it is, it is not getting the answer
> it wants.
>
> I'm NOT a Windows expert, I know more on the Unix side, but open to
> suggestions. This was a fresh install. He's doing SOMETHING that allows
> this. It didn't take him long. He does play online games thru Pogo.
>
> GeorgeC
> Austin, TX
>
> reply by email to nic at dyb dot com
>
> Thanks!
>
>


Posted by Malke on October 4, 2007, 12:49 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Luke wrote:
> I did have this problem, but i took it to PC World and they fixed it for
> £40. and by the way saying 192.168.0.4 is your dads laptob isnt very
> safe... be careful.

You've responded to a very old (in Usenet terms) post. It is unlikely
the Original Poster will come back. In any case, you are incorrect in
saying that it was unsafe of him to list the 192.168.0.4 IP address.
That is a private IP address and not accessible from the Internet. This
will make it clearer to you:

http://www.duxcw.com/faq/network/privip.htm


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Posted by George Csahanin on October 28, 2007, 12:14 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Malke, I do check back to look for replies. I did smile over the comment
about the address, I guess some people don't know about private addresses.

But the problem really has me puzzled. The closest I have come to a
resolution was somone point out that it is a piece of Netgear wireless
adapter software that uses these lookups to check for network connection.

And you're right...Don't Panic...

GeorgeC


> Luke wrote:
>> I did have this problem, but i took it to PC World and they fixed it for
>> £40. and by the way saying 192.168.0.4 is your dads laptob isnt very
>> safe... be careful.
>
> You've responded to a very old (in Usenet terms) post. It is unlikely the
> Original Poster will come back. In any case, you are incorrect in saying
> that it was unsafe of him to list the 192.168.0.4 IP address. That is a
> private IP address and not accessible from the Internet. This will make it
> clearer to you:
>
> http://www.duxcw.com/faq/network/privip.htm
>
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User



Posted by Malke on October 28, 2007, 8:20 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
George Csahanin wrote:
> Malke, I do check back to look for replies. I did smile over the comment
> about the address, I guess some people don't know about private addresses.
>
> But the problem really has me puzzled. The closest I have come to a
> resolution was somone point out that it is a piece of Netgear wireless
> adapter software that uses these lookups to check for network connection.

Hi, George - You are an exception because usually if someone doesn't
come back in a day, that's all she wrote. I honestly don't know the
answer to your question. The possibility that this is the Netgear
checking for connectivity isn't completely far-fetched I suppose.

You might want to pull the Netgear and throw another router in there
just to see what happens.

Cheers,

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Similar ThreadsPosted
Strange AVG behavior. March 31, 2007, 3:41 pm
UNKNOWN BEHAVIOR ON MY COMPUTER June 12, 2007, 9:48 pm
Virus, rootkit or something else ??? Strange network behavior... January 6, 2006, 5:59 pm
Virus: w32/behavior/self starter/internet/trojan!/maximus September 6, 2006, 11:18 pm

The site map in XML format XML site map

Contact Us | Privacy Policy