Synology and *.clients.your-server.de

Recently I’ve been noticing a lot of consistent traffic coming from my Synology (well, Xpenology) virtual machine destined for a clients.your-server.de domain.  This was somewhat concerning as some cursory Google searches for this domain resulted in several posts about folks associating this domain with malware and/or bots.  Uh oh.

I use pfSense as my router and firewall, so I was able to perform a couple troubleshooting steps:

As a knee-jerk reaction, I logged into my router and configured DNSMasq (DNS Forwarder in pfSense) to forward all traffic destined for the .clients.your-server.de domain to go to 127.0.0.1.

Secondly, as I have SSH access configured, I was able to log into a shell on the pfSense VM and capture some traffic:

tcpdump -s 0 -w /tmp/capture.pcap -i igb1 host 10.0.0.99

The ‘-s 0’ portion removes the packet size capture limit, the ‘-w’ option tells tcpdump where to write the packet capture to, and the ‘-i’ option specifies which interface to listen on.  In this case, it’s my LAN interface.  Side note, tcpdump is real sexy.

I let the capture run for just a few seconds, since the traffic was consistent.  Then I pulled it back to my workstation via SCP so I could open the file in Wireshark.  Lo and behold, there was my mystery traffic:

 

 

 

 

 

A-ha!  musicbrainz.org.  Turns out, I had recently installed beets on my Synology VM to organize my music collection, which will query musicbrainz.org for song metadata.  Phew, crisis averted.  I think.  Now I could go back and remove that DNSMasq rule.

Hopefully, if you find this post and were having a mild panic attack like I was, this information will help you troubleshoot your situation.

Leave a Comment