Teri RadichelRE: https://infosec.exchange/@teriradichel/116262937287288024
I just wrote this post about DNS leaks and tunnels. So today I go to visit a web site and my host-based firewall is popping up repeatedly connection attempts to the website like it’s beaconing to maintain a connection. So at first I’m grumbling about whatever on the web site is doing that but…
Then I’m confused when I’m trying to find the related connections and logs. I start to think something is wrong with my firewall.
But then I visit a different website and the same thing is happing. Ping, ping, ping (but it’s not ping)
And then it dawns on me. The reason I’m struggling to find the traffic is because there is no connection to the actual ip address returned by the DNS server. Something is making repeated DNS requests for those website domains.
And it’s every website domain.
I’m looking at my process monitoring script I wrote and the only thing making Internet connections is Google Chrome. I don’t install any extensions. Chrome is up to date.
I check and an Apple update is available. Installed that.
The beaconing is not for some attacker domain but rather for well-known domains. It was happening on an AWS website, a domain used in conjunction with ARIN, a CDN and CloudFlare.
Using CloudFlare DNS servers.
Has anyone seen this before?