Windows XP constant reverse lookup of DNS server IP

  • Thread starter Thread starter Jorey Bump
  • Start date Start date
J

Jorey Bump

I'm running XP Pro SP2 on an IBM T41p Thinkpad.

Every 20 seconds, it does a PTR query (reverse lookup) on the IP address of
my DNS server. I also have an XP Home box on the network, but it doesn't do
this.

If I boot into safe mode with networking, it does not do the reverse
lookup. I've turned off as many unnecessary processes as I can, but to no
avail. I've tried running netstat -ban (to identify the process), but no
connection to my DNS server ever appears in the list.

When I run windump, it always shows an arp who-has for my dns server,
followed by a reply, then the PTR query and reply.

Does anyone have an idea what might cause this, and how to determine the
process that is making the query? It seems completely unnecessary to poll
with such frequency.
 
I'm running XP Pro SP2 on an IBM T41p Thinkpad.

Every 20 seconds, it does a PTR query (reverse lookup) on the IP address of
my DNS server. I also have an XP Home box on the network, but it doesn't do
this.

If I boot into safe mode with networking, it does not do the reverse
lookup. I've turned off as many unnecessary processes as I can, but to no
avail. I've tried running netstat -ban (to identify the process), but no
connection to my DNS server ever appears in the list.

When I run windump, it always shows an arp who-has for my dns server,
followed by a reply, then the PTR query and reply.

Does anyone have an idea what might cause this, and how to determine the
process that is making the query? It seems completely unnecessary to poll
with such frequency.
Click to expand...

Jorey,

Get Port Explorer (free) from
<http://www.diamondcs.com.au/portexplorer/index.php?page=home> for a more
detailed, and easier to follow, display than you get from netstat.
And Process Explorer (free) from
<http://www.sysinternals.com/ntw2k/freeware/procexp.shtml>, identifies all the
processes running, and will display a limited amount of network use for each
process. Also, Autoruns (also free, and also from SysInternals)
<http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml> will show you
specifically what process are started automatically.

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.
 
Get Port Explorer (free) from
<http://www.diamondcs.com.au/portexplorer/index.php?page=home> for a
more detailed, and easier to follow, display than you get from
netstat.
Click to expand...

Thanks. That shows svchost.exe as the process initiating the connection,
but now I have no idea what service is responsible, or if it's safe to turn
off. Any suggestions?
And Process Explorer (free) from
<http://www.sysinternals.com/ntw2k/freeware/procexp.shtml>, identifies
all the processes running, and will display a limited amount of
network use for each process. Also, Autoruns (also free, and also
from SysInternals)
Click to expand...

Looked interesting, but it wouldn't run (complained about symbols not being
present).
 
Thanks. That shows svchost.exe as the process initiating the connection,
but now I have no idea what service is responsible, or if it's safe to turn
off. Any suggestions?


Looked interesting, but it wouldn't run (complained about symbols not being
present).
Click to expand...

Svchost.exe is a general purpose process that Microsoft provides to run various
services (background tasks) that let you use the various features of Windows.
There are multiple instances of svchost.exe, so use the Process ID to identify
the one generating the traffic.

Process Explorer will run, just click OK when it gripes about the symbols issue.
Use Process Explorer to look at the Properties of the svchost.exe (by PID) in
question. Under Properties, in the Services tab, see what services are
registered for that instance of svchost.exe.

For a good reference to the services registered to svchost.exe, see
<http://www.blackviper.com/WinXP/servicecfg.htm>. For discussion about most
processes in general (what is each one, what does it do, is it necessary), just
type it in to your favorite search engine. Anything dangerous is probably being
discussed somewhere on the web.

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.
 
Process Explorer will run, just click OK when it gripes about the
symbols issue. Use Process Explorer to look at the Properties of the
svchost.exe (by PID) in question. Under Properties, in the Services
tab, see what services are registered for that instance of
svchost.exe.
Click to expand...

Thanks, Chuck. Process Explorer is running, but there is no GUI whatsoever.
I try to maximize it, restore it, resize it, but no joy. I see a little
flicker when I maximize it, but no window.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Reverse DNS problem 1
How to update reverse DNS entries after changing lan address 3
Make dns lookup check hosts file first 1
reverse dns 3
Reverse DNS Issue 4
DNS order in XP on a VPN connection (not using VPN DNS servers) 1
alternate DNS server not querried 1
How to Delete Some Records in Reverse Lookup Zones 1

Back
Top