Recently I’ve been noticing a lot of consistent traffic coming from my Synology (well, Xpenology) virtual machine destined for a clients.your-server.de domain. This was somewhat concerning as some cursory Google searches for this domain resulted in several posts about folks associating this domain with malware and/or bots. Uh oh.
I use pfSense as my router and firewall, so I was able to perform a couple troubleshooting steps:
As a knee-jerk reaction, I logged into my router and configured DNSMasq (DNS Forwarder in pfSense) to forward all traffic destined for the .clients.your-server.de domain to go to 127.0.0.1.
Secondly, as I have SSH access configured, I was able to log into a shell on the pfSense VM and capture some traffic:
tcpdump -s 0 -w /tmp/capture.pcap -i igb1 host 10.0.0.99
The ‘-s 0’ portion removes the packet size capture limit, the ‘-w’ option tells tcpdump where to write the packet capture to, and the ‘-i’ option specifies which interface to listen on. In this case, it’s my LAN interface. Side note, tcpdump is real sexy.
I let the capture run for just a few seconds, since the traffic was consistent. Then I pulled it back to my workstation via SCP so I could open the file in Wireshark. Lo and behold, there was my mystery traffic:
A-ha! musicbrainz.org. Turns out, I had recently installed beets on my Synology VM to organize my music collection, which will query musicbrainz.org for song metadata. Phew, crisis averted. I think. Now I could go back and remove that DNSMasq rule.
Hopefully, if you find this post and were having a mild panic attack like I was, this information will help you troubleshoot your situation.