Looking at the logs of my local DNS server, my Linux computer has been looking up 191.0.0.10.in-addr.arpa every few seconds. It also looks up ipv4only.arpa, but less frequently. As far as I know, arpa domains are apart of the DNS system itself? Is this normal?

  • kevincox@lemmy.ml
    link
    fedilink
    arrow-up
    7
    ·
    4 years ago

    If you really want you can set a trace filter on your firewall to see what users those requests are coming from. This is reverse-DNS. It looks up the hostname for an IP address. There are various reasons to do this.

    1. Some applications filter based on the hostname. They need to convert the IP to a hostname (and they query the hostname to ensure it maps to the IP to verify)
    2. Some applications show this to the user (some bittorrent clients try to show you peer hostnames).
    3. Some applications log the hostname.

    So there are a wide variety of reasons. You would have to trace this back to the application to find out why exactly it is happening for you.

    • AgreeableLandscape@lemmy.mlOPM
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      4 years ago

      I find it really weird that it keeps reverse looking up one IP address, which apparently is in Brazil, and it does it every few seconds.

      I do have a VPN enabled (but not to a server in Brazil), but I don’t know if that has anything to do with it.

      • kevincox@lemmy.ml
        link
        fedilink
        arrow-up
        3
        ·
        4 years ago

        191.0.0.10.in-addr.arpa

        I do find it weird that this is an internal IP. I would check if this query works. Also maybe checking to see if your VPN has anything at this IP.

            • AgreeableLandscape@lemmy.mlOPM
              link
              fedilink
              arrow-up
              1
              ·
              4 years ago

              Oh wait, I just realized that the IP is reversed from what the domain says. I thought it was 191.0.0.10.

              10.0.0.191 is actually the IP address to the computer sending the queries.

              • SeerLite@lemmy.ml
                link
                fedilink
                arrow-up
                1
                ·
                4 years ago

                Maybe you can run one of those crazy nmap scans to see what it is?

                Or maybe it’s a better idea to figure out why it’s happening in the first place instead hmm