I recently started blocking DNS queries on my systems so that no client can do DNS queries on anything else but the local router/firewall that is now running pfSense 2.3. I started noticing some really strange stuff in my logs today:
That's a log entry from the block rule. The 10.71.14.9 address is my Android phone and the 69.171.239.13 address belongs to Facebook according to whois(1). I do run the facebook app on my phone but surely it should have no business sending DNS queries anywhere else but the local resolver (what it is told to use by DHCP)?
Anyone have a clue what purpose those queries would serve? I'm pretty sure my phone is not infected by any malware or anything of that sort.
Code:
May 5 16:21:01 LAN 10.71.14.9:46929 69.171.239.13:53 UDPThat's a log entry from the block rule. The 10.71.14.9 address is my Android phone and the 69.171.239.13 address belongs to Facebook according to whois(1). I do run the facebook app on my phone but surely it should have no business sending DNS queries anywhere else but the local resolver (what it is told to use by DHCP)?
Anyone have a clue what purpose those queries would serve? I'm pretty sure my phone is not infected by any malware or anything of that sort.
I do have a hunch that it's related to application updates on android but not sure yet, the timestamps on log entries do seem to correlate with the Facebook app updates that have quite frequent recently.