Opening LibreOffice generates random DNS queries SUSE 12.2 and 12.1

While running Wireshark in SUSE 12.1 I noticed that opening LibreOffice caused a DNS query with a random 16 bit hexadecimal value.

After noticing this in SUSE 12.1, thinking I had been hacked, I did a fresh install of SUSE 12.2 and the behavior was the same. I formatted the /boot, / and /home partitions during the install. Then I ran the SUSE updates, installed Wireshark and opened LibreOffice Writer. The DNS problem was still there. I do not see any reasonable way for any hack to make it back into my machine with this procedure. I was not even opening any file in Writer.

To make things worse I have an older SUSE 12.1 installed on another machine that does not have this behavior. I have constantly reproduced it on one machine and been unable to produce it on another machine. Both machines were/are current on their repo updates. I also use the Packman and Science repos in both machines, but these added repos were not istalled during the new 12.2 testing. I kept the new 12.2 test straight forward and simple as described above.

These are edited Wireshark examples of the actual DNS. The 74.211.x.x IP is my DNS server and my machine is named linux4x:

   
192.168.x.x    74.211.x.x    DNS    69    Standard query 0x73d2  A linux4x
74.211.x.x    192.168.x.x    DNS    144    Standard query response 0x73d2 No such name
____
192.168.x.x    74.211.x.x    DNS    69    Standard query 0xc98b  A linux4x
74.211.x.x    192.168.x.x    DNS    144    Standard query response 0xc98b No such name
____
192.168.x.x    74.211.x.x    DNS    69    Standard query 0xf0ff  A linux4x
74.211.x.x    192.168.x.x    DNS    144    Standard query response 0xf0ff No such name

Notice the 16 bit hexadecimal numbers appear to be random and do not repeat. The DNS query is only generated
when LibreOffice is opened (calc, impress, writer) and does not occur again until after all the LibreOffice
programs are closed and LibreOffice is opened again with no other instances running. If any other instance of
LibreOffice is running there is no new DNS query.

I tried messing with the LibreOffice Internet options and removed the e-mail (evolution) and tickled the
Browser Plug-In option with no change. I tried disabling LibreOffice Java and all I got was a miserable nag
about wanting to enable Java every time I started LibreOffice, with no change in the DNS behavior.

The problem machine:
i5-2500K Sandy Bridge LGA 1155 3_3 GHz Intel® HD Graphics 3000
MSI Z68MA-ED55 (B3) LGA 1155 Intel Z68 Micro ATX Intel Motherboard
DDR3 Model F3-12800CL9D-8GBXL 8 Gig Sandy Bridge XMP
Best Connectivity DL-0234802 PCI-E serial card
Western Digital Caviar Black 1 TB SATA III
Only DDR3 1600 XMP profile enabled - no other overclocking used and it is stable

The old machine:
i5-650 Clarkdale LGA 1156 3_2 GHz
Integrated Graphics
Gigabyte ga-h55m-s2v_e Micro ATX Intel Motherboard
DDR3 Model F3-10666CL9D-8GBXL 8 Gig
Western Digital Caviar Black 500GB SATA III - jumpered for SATA II
no overclocking

I just start or restart the Wireshark capture, then open LibreOffice, go back to Wireshark and there is the DNS
everytime. Has anyone alse seen this problem or is anyone able to reproduce it?

I saw an older October thread where LibreOffice had random startup delays that would appear and then dissappear.
Could it have possibily been be releated to this? I doubt anyone would have thought to look for unwanted DNS
transactions when openeing LibreOffice.

Thanks for any help.

On 2013-01-03 03:26, Mike unique wrote:
> While running Wireshark in SUSE 12.1 I noticed that opening LibreOffice
> caused a DNS query with a random 16 bit hexadecimal value.

You might post the question in the openSUSE security mail list.


Cheers / Saludos,

Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))

This may be the most stupid suggestion you get on this question. I do not know Wireshark and thus do not know what the different fields are in it’s output. But to me it looks as if the DNS is asked for an A record of linux4x and the answer is: No such name. The hex number simply being the id of the query.

This would mean that LibreOffice only tries to query about the local host.

EDIT:: You could see if you can mimic this of course by using

nslookup linux4x

or

host $(hostname)

and check what Wireshark recorded.

Update Service?

On 2013-01-03 09:56, hcvv wrote:
>
> This may be the most stupid suggestion you get on this question. I do
> not know Wireshark and thus do not know what the different fields are in
> it’s output. But to me it looks as if the DNS is asked for an A record
> of linux4x and the answer is: No such name. The hex number simply being
> the id of the query.

Doh! I should have noticed.

>
> This would mean that LibreOffice only tries to query about the local
> host.

Very possible.


Cheers / Saludos,

Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))

> Update Service?

Not having looked at the Linux code, but the Windows version has an update
service. If the code exists in the Linux version as well, it could be set to
check loopback, fail to find update, and get on with life. If true, would be
better if it were simply commented out entirely but there may be other
things at play that don’t allow that. Or it could be checking for local
proxy information for the other internet features in LO. Personally I think
internet garbage tacked into stand-alone apps is a bad idea, but certainly
is a popular one.

Brilliant !! :slight_smile:

Thanks for the explanation. Obviously, my understanding of Wireshark is not that good and your explanation makes sense. Yes, “nslookup linux4x” reproduces the behavior.

Still, in any case what is the point of looking up a local host network name from a LAN computer on an Internet WAN DNS server? My LAN gateway has its own DNS service, which is where the local host name will resolve to a LAN IP.

What would a LibreOffice update service do with a local host LAN IP even if it got it? When would any computer local host name be expected to have an Internet WAN IP, using the local host name for the Internet DNS record look up? Even if I ran a dedicated Internet IP without any LAN or gateway/firewall, what would my local host name have to do with an Internet DNS look up IP? This local host name WAN DNS activity appears to fail the sanity test.

What would happen if I was able to craft a local host name that resolved to an Internet IP and more importantly what would be the point? I mean the local host name is specif to the host computer running the application and of course this computer is already accessible to the application. More importantly is there any Internet DNS look up that matches, if it is even possible, any operating systems default install local host name (could it be a trap door for the unwary)? In my experience default install local host names are usually somewhat randomized anyway.

The way I understand things is the WAN does not need to know any of my LAN IPs (these LAN IPs do not make any sense too an Internet WAN DNS) and any Internet access with my LAN needs to use my ISP assigned gateway WAN connection IP, to make it from the Internet through my gateway/firewall.

I suspect this an innocent LibreOffice bug. If your ISP DNS server is having trouble and responding slowly to unresolvable DNS queries, it might cause LibreOffice slow start ups. I have no idea if LibreOffice processes even block on this DNS query completion or not.

Also, why is this behavior not consistent between different machines? Has anyone else seen this behavior by just starting LibreOffice or am I “specially” blessed on this one computer? I do not see any inherent problems with my clean install everything testing.

Before venturing in to all your "what if " statements, I need some clarification;

You said in post #1

74.211.x.x IP is my DNS server

You also say above:

Yes, “nslookup linux4x” reproduces the behavior.

I read this as: Yes, “nslookup linyx4x” does send out a query to 74.211.x.x.

Both mean that your system usess that as DNS server. And not from your LAN gateway as you seem to think. But as earlier, you jump to conclusions without checking the facts. Earlier you did not consult the Wireshire documentation on what it’s output means and then jumped to the conclusion that the hex number would be a mysterious type of query. And now you assume things about your DNS server without checking what is configured in your system.

cat /etc/resolv.conf | grep -v '^#'

Post the bare facts here please.

Maybe a really stupid followup question is “Where and what has been configured with the linu4rx name?”

If that is the current or original name of the machine (when the system was first installed), then it’s simply querying for the local hostname.

In any case, if it really bothers you that DNS queries are leaving your box querying for a non-existent name, the simple solution is to simply create a “linux4x” entry in your Hosts file pointing to itself (loopback address eg 127.0.0.1).

Since the name will be resolved internally, no query should leave the box.

TSU

Very likely correct.

Yast –> Network Devices –> Network Settings –> Hostname/DNS

and check the box “Assign Hostname to Loopback IP”

Click OK.

The chances are that local hostname lookup will then be done without consulting DNS.

hcvv, You are also jumping to conclusions. I am not a networking guy and I did not need to consult the Wireshire documentation to run a nslookup test and report that it reproduced the observed behavior on Wireshark. Are you suggesting that Linux is incapable of doing a DNS query from my LAN because nslookup performs a WAN DNS query? Are you suggesting LibreOffice attempting to resolve a local host name with an Internet WAN DNS query is correct behavior? I am not claiming you are suggesting either one of these, and these issues are more to the point about the problem I am reporting.

An observation is nslookup of the local host name reproduces the Internet WAN DNS query behavior without any influence from the local host name being set to loopback or not. This is true for both the newer and older computers. Since it appears nslookup cannot fail to reproduce the Internet WAN DNS behavior, maybe it was not the best test to use, since it appears LibreOffice must use a different method of attempting the local host DNS query lookup.

tsu2 and nrickert, Yes adding the local host name to the loopback did stop the undesirable LibreOffice start up Internet WAN DNS behavior. I do not know if this fixed any LibreOffice problems or not by repairing the broken DNS query. Thank you.

A mystery still remains because the older computer never had this host name loopback setting and has never showed the LibreOffice start up Internet WAN DNS query behavior?

On 2013-01-06 01:36, Mike unique wrote:
>
> hcvv, You are also jumping to conclusions. I am not a networking guy and
> I did not need to consult the Wireshire documentation to run a test and
> report that it reproduced the observed behavior on Wireshark. Are you
> suggesting that Linux is incapable of doing a DNS query from my LAN
> because nslookup performs a WAN DNS query? Are you suggesting
> LibreOffice attempting to resolve a local host name with an Internet WAN
> DNS query is correct behavior? I am not claiming you are suggesting
> either one of these and these issues are more to the point about the
> problem I am reporting.

Applications can not differentiate whether they are doing a local search
or an internet search. They get a name, and ask the configured
nameserver to resolve it. That nameserver can be local or remote, it
doesn’t matter and the application does not care: it just asks the DNS
server that you told it to use.

In the wireshark output you copied in your first post, LO is asking of
74.211.x.x, a DNS outside, for the IP address of linux4x, a local name.
There is absolutely nothing wrong there… except perhaps you
configuring 74.211.x.x as the DNS.

> An observation is nslookup of the local host name reproduces the
> Internet WAN DNS query behavior without any influence from the local
> host name being set to loopback or not.

Of course, because nslookup ignores the hosts file, as documented.


Cheers / Saludos,

Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))

Here’s how that works.

When a program wants an IP address, it use a library call to gethostbyname() (or something similar). If an answer to that is available locally, then that is used. Otherwise DNS is consulted. Adding the local hostname to the loopback makes sure that the answer is available locally, so DNS is not required.

“nslookup”, however, is special. It will always consult DNS and ignore a locally available name. That’s its purpose.

You are talking a lot, but as long as you do not post the output of the command I gave you, there is no need to explain further.

As others alrady tried to explain, there is no such thing as a local/LAN DNS server and a remote/WAN DNS server for a system. There is just the DNS server (and up to two fallbacks). And you should have shown what they are in your system by now by the command I gave.

Also , I did not say you should have read the Wireshire documentation before doing nslookup, you should have read it before interpreting the Wireshire output that you showed in your first post. Then you would have known what the field witth the hex number means. And you wouldn’t have panicked in fear of being hacked and you wouldn’t have spoiled your time reinstalling and recreating all your file systems.