# example.com
DNS queries to example.com are most likely something someone "forgot" to remove from his application before pushing it to the debian mirrors. example.com is reserved by IANA and not a real domain. Its just for developing software or as an example domain in answering forum questions
You can learn more about it
on wikipedia.
# IPv4only.arpa
If you have the local IP address 192.168.1.1a reverse DNS lookup might return a domain name like host.example.com. This can be useful for identifying the hostname associated with an IP address, which is often used in networking and server administration. Example:
Code:
user@host:~$ host 23.48.165.132
132.165.48.23.in-addr.arpa domain name pointer a23-48-165-132.deploy.static.akamaitechnologies.com.
So, IPv4only.arpa is the domain used for reverse DNS lookups of IPv4 addresses. If your system is making DNS queries for IPv4only.arpa, it's likely performing reverse DNS lookups for IPv4 addresses on your network. This is part of normal network operations and isnt usually a cause for concern.
# why web.telegram.com
That I can not tell you, but with the answer of mine below you might be able to find out. Its getting much more fun when you look for facebook domains, just from opening a browser or whatever tool.
# Furthermore
Personally I use dnscrypt-proxy, which not only encrypts all your DNS traffic so your ISP cant read it, but also lets you define white or blacklists for domains that should be able to be resolved. This way you can block nonsense like telegram.com and facebook and alike domains.
When you
wireshark
or
tcpdump
your laptops traffic, sadly even with debian (but much less so than with other more popular operating systems), you will notice a LOT of weird traffic like this designed to track you.
To my knowledge both tcpdump and wireguard can not tell you which process (id) is currently generating traffic, just on which network interface traffic is going in / out. You might be able to look at what network traffic a specific program generates with
strace
, here with the example of firefox (this command will not start firefox but look for a running firefox and "trace" it)
Code:
sudo strace -e trace=network -s 1000 -f -p $(pgrep -d ',' firefox) 2>&1 | grep 'sendto\|recvfrom'
However the output is a bit annoying.
You can show which processes are CURRENTLY using port 53:
Code:
sudo netstat -tulnp | grep :53
sudo lsof -i :53
sudo ss -tulwn | grep :53
And you might be able to correlate that to a tcpdump / wireshark that you run in a second window.
Its always interesting to snoop around in your own dns traffic
If you really want to have fun try
https://www.qubes-os.org/, which lets you isolate each application (or each group of applications) into XEN VMs, where you can then have one (or more) firewall VMs with which you can identify the traffic further.
Long story short:
try to use the answers above to find out what was doing that. Furthermore use dnscrypt-proxy to a) log all dns queries and b) block everything you dont like, or create a whitelist (not utterly usable). You can also download blocklists from github for social trackers like telegram / facebook / what not.
Yes its normal. Sadly.