Unbound-Control.exe outgoing connections
Francis Turner
francis at threatstop.com
Mon Jan 29 04:51:11 UTC 2024
I can't explain why unbound-control would want to make that connection. I would expect a windows machine to make that kind of connection though as it's something to do with Microsoft updates.
Specifically array612.prod.do.dsp.mp.microsoft.com resolves to the IP address 20.54.24.148
>From https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints
The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads won't be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network won't use peer devices for bandwidth reduction. TLSv1.2/HTTPS/HTTP *.prod.do.dsp.mp.microsoft.com
-----Original Message-----
From: Unbound-users <unbound-users-bounces at lists.nlnetlabs.nl> On Behalf Of RagG via Unbound-users
Sent: Monday, January 29, 2024 5:33 AM
To: unbound-users at lists.nlnetlabs.nl
Subject: Unbound-Control.exe outgoing connections
Hi, Has anyone any idea of why on rare occasions Unbound-control.exe wants to make the connection detailed below?
They pop up at random times and for do apparent reasons. I thought this program was (mainly) to control the local instance.
Thanks
Outgoing connection - TCP(6)
From: Unbound Remote Control Tool
To: 20.54.24.148
Dublin, Ireland
Application: unbound-control.exe
Process ld: Process 10956
Local Address: <My IPv4 address> Port 56817 Remote Address: 20.54.24,148 Port 443 Whois
===========================================
C:\>dig -x 20.54.24.148
; <<>> DiG 9.17.14 <<>> -x 20.54.24.148
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43656 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;148.24.54.20.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
24.54.20.in-addr.arpa. 157 IN SOA ns1-01.azure-dns.com.
azuredns-hostmaster.microsoft.com. 1 3600 300 2419200 300
;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Sun Jan 21 17:16:21 GMT Standard Time 2024 ;; MSG SIZE rcvd: 140
===========================================
Whois information:
#
# ARIN WHOIS data and services are subject to the Terms of Use # available
at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2024, American Registry for Internet Numbers, Ltd.
#
NetRange: 20.33.0.0 - 20.128.255.255
CIDR: 20.33.0.0/16, 20.40.0.0/13, 20.128.0.0/16, 20.64.0.0/10,
20.36.0.0/14, 20.34.0.0/15, 20.48.0.0/12
NetName: MSFT
NetHandle: NET-20-33-0-0-1
Parent: NET20 (NET-20-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Microsoft Corporation (MSFT)
RegDate: 2017-10-18
Updated: 2021-12-14
Ref: https://rdap.arin.net/registry/ip/20.33.0.0
OrgName: Microsoft Corporation
OrgId: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
RegDate: 1998-07-10
Updated: 2023-11-17
Comment: To report suspected security issues specific to traffic
emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:
Comment: * https://cert.microsoft.com.
Comment:
Comment: For SPAM and other abuse issues, such as Microsoft
Accounts, please contact:
Comment: * abuse at microsoft.com.
Comment:
Comment: To report security vulnerabilities in Microsoft products
and services, please contact:
Comment: * secure at microsoft.com.
Comment:
Comment: For legal and law enforcement-related requests, please
contact:
Comment: * msndcc at microsoft.com
Comment:
Comment: For routing, peering or DNS issues, please
Comment: contact:
Comment: * IOC at microsoft.com
Ref: https://rdap.arin.net/registry/entity/MSFT
OrgAbuseHandle: MAC74-ARIN
OrgAbuseName: Microsoft Abuse Contact
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: abuse at microsoft.com
OrgAbuseRef: https://rdap.arin.net/registry/entity/MAC74-ARIN
OrgTechHandle: MRPD-ARIN
OrgTechName: Microsoft Routing, Peering, and DNS
OrgTechPhone: +1-425-882-8080
OrgTechEmail: IOC at microsoft.com
OrgTechRef: https://rdap.arin.net/registry/entity/MRPD-ARIN
OrgTechHandle: SINGH683-ARIN
OrgTechName: Singh, Prachi
OrgTechPhone: +1-425-707-5601
OrgTechEmail: pracsin at microsoft.com
OrgTechRef: https://rdap.arin.net/registry/entity/SINGH683-ARIN
OrgTechHandle: BEDAR6-ARIN
OrgTechName: Bedard, Dawn
OrgTechPhone: +1-425-538-6637
OrgTechEmail: dabedard at microsoft.com
OrgTechRef: https://rdap.arin.net/registry/entity/BEDAR6-ARIN
OrgTechHandle: IPHOS5-ARIN
OrgTechName: IPHostmaster, IPHostmaster
OrgTechPhone: +1-425-538-6637
OrgTechEmail: iphostmaster at microsoft.com
OrgTechRef: https://rdap.arin.net/registry/entity/IPHOS5-ARIN
OrgRoutingHandle: CHATU3-ARIN
OrgRoutingName: Chaturmohta, Somesh
OrgRoutingPhone: +1-425-882-8080
OrgRoutingEmail: someshch at microsoft.com
OrgRoutingRef: https://rdap.arin.net/registry/entity/CHATU3-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2024, American Registry for Internet Numbers, Ltd.
#
Regards
Ray
More information about the Unbound-users
mailing list