I found a very strange thing when I saw DNS queries for random servers on Wireshark. I am running Ubuntu 10.10 and I was pretty sure that no one is running malicious scripts on my Laptop. I was really worried when I saw DNS queries to http://www.ssa.gov and I had no idea what it was at the time. And when I googled to find out what it was the DNS queries increased.

So I had to get the bottom of this. “lsof” is a very useful program to see which process is responsible for the which network transaction. When I ran the following I found the culprit.

poo@SDT-TravelMate-8572G:~$ lsof -i udp
COMMAND    PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
firefox-b 1855 poo   42u  IPv4  27548      0t0  UDP SDT-TravelMate-8572G:41473->dns1.xxx.com.au:domain
firefox-b 1855 poo   62u  IPv4  27547      0t0  UDP SDT-TravelMate-8572G:35432->dns1.xxx.com.au:domain
firefox-b 1855 poo   63u  IPv4  27556      0t0  UDP SDT-TravelMate-8572G:34421->dns1.xxx.com.au:domain

So the culprit is Firefox doing DNS pre-fetching. Interesting article on that