3

I have noticed some strange activity on a dns server of mine and wanted to pick some brains. Every request being made to this dns server has an additional udp packet being sent to an ec2 IP address in Ireland. FYI, I am in the US so this should not be going to the Ireland at all. The udp packet sent each time contains each request being made on my dns server.

This is an internal dns server, running dnsmasq, and using OpenDNS for its lookups. Below are a couple of shots for some additional info. So I do not believe this address ec2 address should be appearing but I could be wrong. That is why I want to ask everyone here. Any info, tips, advice on this?

enter image description here enter image description here

pickledtink
  • 33
  • 4

1 Answers1

3

The IP address is for data.logentries.com:

$ dig data.logentries.com|grep 78.79
data.logentries.com.    98  IN  A   46.137.78.79

logentries.com provides log management and analytics and it appears someone at your site has signed up to it.

adamant
  • 56
  • 1
  • How did you know initially it was data.logentries.com? When I did a reverse lookup it shows me ec2-46-137-78-79.eu-west-1.compute.amazonaws.com. What am I missing? – pickledtink Mar 18 '17 at 22:35
  • A reverse IP lookup wasn't useful. I did a google search for the IP address and one of the links lead to the forward lookup. – adamant Mar 19 '17 at 01:12