Weird traffic

parrotsec

#1

Does anybody know what is this traffic? What is send to gandalf.internal.parrotsec.org?


(Matt) #2

It is one of parrots servers. It hosts the repository and also provides DNS.

if you are seeing it frequently it is probably handling your DNS queries.


#3

I know it’s DNS traffic, but I use different DNS servers. Therefore I’m wondering what’s in the traffic to gandalf. The seconds thing is that gandalf isn’t mentioned anywhere is documentation (or maybe I didn’t found it - then sorry).


(Matt) #4

Well if its not in your /etc/resolv.conf and the traffic to 37.59.40.15 (gandalf…) is DNS traffic, then its because the domains you are visiting are cached (In firefox).

If you use nslookup it will use the DNS servers inside resolv.conf where as firefox will use cached, until you restart it.


(Lorenzo "Palinuro" Faletra) #5

Parrot tries to circumvent dns cersorship by putting the OpenNIC dns servers along side those suggested via dhcp by the provider

Some of the Parrot Project servers are also OpenNIC dns resolvers, and we include them by default.

One of these dns servers is our gandalf node (france) available at archive3.parrotsec.org or gandalf.internal.parrotsec.org

i invite you to open wireshark and take a look at the traffic routed to this server, as you can see it is just dns traffic including only the dns resolution requests performed by your system