Last week I was playing around with some PCAPs I made of my home network, trying to correlate what I saw happening in the PCAP with the alerts generated by my SecurityOnion instance. One specific alert triggered over 1000 times in just two days, this doesn’t say much as I happen test a lot of services to see what they do, this particular alert happened so often that it worried me a little…
There was a continuous DNS query towards myip.opendns[.]com which is an address used to poll for the external IP-address of the machine that the query was made from. What’s strange about this query on my network was that this query was made to the external address of myip.opendns[.]com instead of using the configured primary DNS address
I started monitoring the processes on my system for network connections but the query was too short to pop up in the netstat command and not observed when checking this with lsof.
Reproducing the Queries
Frustrated I contacted a friend of mine to ask for his advice as to how to monitor this. He proposed me to check if it wasn´t some cinnamon desktop service running in the background making the DNS query, I logged out of the cinnamon desktop environment and into Gnome to check this, fired up Wireshark and did indeed not see the query.
I started to think about the applications I run normally when using my system and started the applications one by one. There were no DNS queries observed to any OpenDNS domain until I started the Mailspring client. Interesting!
The next day I downloaded and installed a clean Ubuntu 18.04 virtual machine and made sure to update it so it runs the same version as my home desktop. I installed Wireshark and started to capture the traffic of the clean Ubuntu installation; no opendns queries.
I then proceeded to install the Mailspring client and without adding an e-mailaccount I made another traffic capture with Wireshark, this time there were a lot more DNS queries, but still no DNS queries towards myip.opendns[.]com.
Next up I made a new Gmail account, added this to Mailspring and started the network capture again, this time I could see the opendns queries. But why?
Y u query?
The first thing after establishing when the queries were made was to clone the Github repository that is available. At the time of cloning this repository it seemed that only the UI was open source, I still cloned it to check for the query. After cloning the repository I searched for the query “myip.opendns[.]com” and for the involved IP-address that I observed: “220.127.116.11”, both yielded no results.
Shortly after this the friend I contacted earlier messaged me again, he had found the library used by Mailspring that is the cause of the queries being made. Turns out that the Mailspring client uses the is-online library to check if the system has an active internet connection.
I set out an issue on the Github page of Mailspring to ask for some clarification, and messaged the Mailspring team on twitter. Shortly after creating the issue I received a comment which stated that they indeed used this library for making connectivity checks but could be changed to just use Mailspring ‘s own servers to do so, and to cut out the ‘is-online’ library.
The issue was changed to the ‘Enhancement’ label which seems to indicate that this will be changed with the next release.
I also want to use this conclusion to give kudo’s to the Mailspring team for their prompt response!
- More people should look into their network traffic, this could’ve been spotted earlier (or someone did and didn’t see any harm in external IP-lookups);
- Not every company is the same when you have questions regarding the network connections of an application, some companies / teams actually listen to issues that’re being reported;
- It feels good when something you reported is taken seriously;
- The Mailspring team acts quick!