I started up Nirsoft DNSQuery app and noticed that something is making repeated queries for
2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa
plus
3.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa
and
252.0.0.224.in-addr.arpa
A thread on Reddit seem to indicate that people who were using Glasswire noticed this traffic and it disappeared once Glasswire was uninstalled. Is Glasswire making these DNS queries?
I have never seen this reported before, but I’ll see what I can find out.
GlassWire does nslookups on the hosts you connect to so you can see what they resolve to. For example if you connect to an IP address we can show that IP resolves to Google.com, Microsoft.com, etc…
You can also do an nslookup yourself with your Windows Command Prompt. Just type in nslookup, then a host name.
If you don’t want to know the host you are connecting to and just see the IP address you can choose to do that with GlassWire.
How to disable nslookups with GlassWire
First create a “glasswire.conf” file with your Notepad application.
Inside the GlassWire.conf text file created by Notepad please insert this text:
hostname_enable_nslookup = false
Please move the .conf file to C:\programdata\GlassWire\service
Reboot your PC.
Now GlassWire doesn’t do nslookups anymore.
Please note doing nslookups isn’t dangerous and should not cause any latency or network problems, it’s just useful information to help you see what servers you are connecting to. Only your configured dns server is contacted and the remote server shouldn’t even know you did the nslookup on it.
More info - It also looks like maybe those addresses are just your local DNS servers, or loopback DNS servers of some type (Piehole software)? I could be wrong though. So I guess it’s just showing GlassWire is doing nslookups (as it should). If you don’t like that you can disable it, but it makes GlassWire less useful.
It was indeed Glasswire that was repeatedly performing all those NSLookups on the suspect addresses. Once I changed the nslookup line in the existing .conf file and rebooted the DNSQuerySniffer app showed no more of these failed attempts being performed. I switched the setting back to true once I determined Glasswire was the source of the DNS queries.
I’m glad you found it was GlassWire doing the nslookups. Browsers, and many other applications do nslookups and they are not dangerous.
Also I have read that the server that is looked up cannot see you did an nslookup on them, because the nslookup is done by your DNS server.