Jump to content
Not connected, Your IP: 34.207.247.69
Sign in to follow this  
Macppl

DNS upload traffic via Eddie

Recommended Posts

I am using Eddie 2.11.11 in MacOS 10.12.3, and always has a question for mDNSResponder (the process that MacOS uses to resolve DNS to IP).  As shown in the attached captured screen, my network montior shows mDNSResponder has continuous upload traffic via 10.x.0.1, which should be created by Eddie during connection to AirVPN, even there is no computer and network activities.

 

I notice that when I browse a website, there will be instant download traffic to resolve DNS, and I think that is normal. But I wonder what is the continuous upload traffic?  Is that normal and intended design by Eddie? Could staff please explain?

mDNSResponder.tiff

Share this post


Link to post

There are many background services that rely on DNS, also Little Snitch is using DNS to resolve hostnames in the statistics.

 

​However, the continuous upload situation will only occur after Eddie connects VPN and DNS server IP is changed to 10.x.0.1. Could you confirm the traffic was not by Eddie?

Moreover, it is weird that the upload traffic seems unable to be seen in Speed tab of Eddie and Activity Monitor of OSX.  Anyway, I have also asked Little Snitch and will update here if any.

Share this post


Link to post
Posted ... (edited)

 

There are many background services that rely on DNS, also Little Snitch is using DNS to resolve hostnames in the statistics.

 

​However, the continuous upload situation will only occur after Eddie connects VPN and DNS server IP is changed to 10.x.0.1. Could you confirm the traffic was not by Eddie?

Moreover, it is weird that the upload traffic seems unable to be seen in Speed tab of Eddie and Activity Monitor of OSX.  Anyway, I have also asked Little Snitch and will update here if any.

 

Little Snitch have replied me that the traffic are not generated by them, and they do not realise any bugs regarding to my situation. The situation still occurred even when I set DNS to others (e.g. 8.8.8.8) or stopped the Network Filter. However, now I find a solution to use DNSCrypt or VPN-->Tor, then filter all mDNSResponder traffic to bypass it. Of course those methods are inconvinent, and any users find continuous upload traffic will be worried about security.

I have also captured packets from mDNSResponder using their Network Monitor, and find those continuous upload should be DNS query packets from 0.0.0.127 to 10.x.0.1. (as attached tiff). If they are normal DNS query response, they should be resolved by AirDNS, but they just repeat continuously. Would staff please investigate whether they are induced from Eddie?

Please note that Little Snitch monitor / filter network traffic based on Application Layer. Any more ideas? Any Mac users have same situation? If just me, then my machine may be compomised.

Captured upload DNS traffic.tiff

Edited ... by Macppl

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...