Intro: Installed a PiHole and using it to DHCP resolve. Noted that the majority of traffic (on home network of 20+ devices) comes from one PC. Network name is home, and my top queries have names like usr.home, etc.home, wpad.home, etc.local, jmtkgdimzmuqfuc.home, frajfizrbl.home, and similar keyboard mashy names. Note that the last two have over 3000 requests each since I last flushed my logs (yesterday afternoon).
All of these requests come from my media PC.
I ran Microsoft Network Monitor to capture packets and try to find the pid initiating the requests, but when limited to DNS queries, all the packets have a null pid. I can clearly see the packets though.
Next came Sysinternals Process Monitor, filtered to UDP Send, and I think I see the traffic. I have a lot of process paths that look like IPV6 address -> IPV6 address:domain. These are the only processes that I can spot that look like DNS requests, but I can't figure out how to filter it out further.
What can I do to find the source of these packets and which program is initiating them, and why? Do you know of any reason for junk DNS queries to occur this often?
Edit: I think I found part of it. I went through the processes in Task Manager and killed one at a time while tailing DNS queries. Once I killed Daemon Tools, the junk (keyboard mashy looking) queries are gone. I still ahve wpad.local, wpad.home. usr.home, and etc.home all unaccounted for though.
Final Edit: Found it. It was an ASUS program I had installed when setting up the motherboard: TurboLan. I found it by killing one process at a time and killing cfosspeed stopped requests in Network Monitor.
So final count (for posterity), Uninstall Daemon Tools and TurboLan.
No comments:
Post a Comment