Netiquette icon indicating copy to clipboard operation
Netiquette copied to clipboard
verified publisher icon objective-see

Issue: Netiquette shows LISTEN as a random domain

Open jamesyc opened this issue 5 months ago • 0 comments

Screenshot of Netiquette:

Image

Note, this process is a part of Tailscale.app, but I actually don't think the app is super relevant to the bug here.

Note the 2 entries that say "uspider.yuanshen.com". That's strange, since I am not on the same network as uspider.yuanshen.com

Running lsof shows a much more accurate picture:

➜  ~ sudo lsof -P -i -a -p 9935
COMMAND    PID       USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
IPNExtens 9935 james   14u  IPv4 0x7784148cdc247cd7      0t0  TCP macbookpro.localdomain:50224->ec2-52-207-202-187.compute-1.amazonaws.com:443 (ESTABLISHED)
IPNExtens 9935 james   16u  IPv4 0xef7037274c50df02      0t0  TCP localhost:50225 (LISTEN)
IPNExtens 9935 james   19u  IPv6 0x9e7de16dcfa95b63      0t0  UDP *:41641
IPNExtens 9935 james   20u  IPv4 0x486c48274b204f2c      0t0  UDP *:41641
IPNExtens 9935 james   22u  IPv4 0x317d9586a50be055      0t0  TCP macbookpro.localdomain:50228->ec2-52-207-202-187.compute-1.amazonaws.com:443 (ESTABLISHED)
IPNExtens 9935 james   23u  IPv4 0x8a6f075155dcf310      0t0  TCP macbookpro.localdomain:50365->lb.fra.tailscale.com:443 (ESTABLISHED)
IPNExtens 9935 james   24u  IPv4 0x4c9a30b29f8182a7      0t0  TCP localhost:50225->localhost:50229 (ESTABLISHED)
IPNExtens 9935 james   30u  IPv4 0x851df9b5f9f34b01      0t0  TCP *:64785 (LISTEN)
IPNExtens 9935 james   31u  IPv6 0xd2b48a6a46b67e61      0t0  TCP *:60539 (LISTEN)
IPNExtens 9935 james   35u  IPv4 0x6fa95b51a05257f7      0t0  TCP macbookpro.localdomain:50253->derp17c.tailscale.com:443 (ESTABLISHED)

The line of note: IPNExtens 9935 james 30u IPv4 0x851df9b5f9f34b01 0t0 TCP *:64785 (LISTEN)

This is just port 64785 doing a LISTEN on my local machine! Why is Netiquette showing uspider.yuanshen.com ?

Relevant DNS information:

➜  ~ dig uspider.yuanshen.com
; <<>> DiG 9.10.6 <<>> uspider.yuanshen.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15701
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;uspider.yuanshen.com.		IN	A

;; ANSWER SECTION:
uspider.yuanshen.com.	600	IN	CNAME	alb-bcfcnsharkg4dnslsj.cn-shanghai.alb.aliyuncs.com.
alb-bcfcnsharkg4dnslsj.cn-shanghai.alb.aliyuncs.com. 60	IN A 47.116.12.211
alb-bcfcnsharkg4dnslsj.cn-shanghai.alb.aliyuncs.com. 60	IN A 101.133.168.82
alb-bcfcnsharkg4dnslsj.cn-shanghai.alb.aliyuncs.com. 60	IN A 101.133.163.1
alb-bcfcnsharkg4dnslsj.cn-shanghai.alb.aliyuncs.com. 60	IN A 47.116.77.93
alb-bcfcnsharkg4dnslsj.cn-shanghai.alb.aliyuncs.com. 60	IN A 47.116.25.198
alb-bcfcnsharkg4dnslsj.cn-shanghai.alb.aliyuncs.com. 60	IN A 47.116.77.88

;; Query time: 60 msec
;; SERVER: 100.100.100.100#53(100.100.100.100)
;; WHEN: Thu Jul 31 03:14:44 PDT 2025
;; MSG SIZE  rcvd: 207

This is strange, since my home public IP address is 107.190.247.50. (Don't worry, mp ip is dynamic, and my ISP does cgNAT, so I share this IP with hundreds or thousands of people). The A records in the DNS entries definitely don't match.

This is a weird bug in the DNS lookup for Netiquette, I think, since lsof seems to get the information correct.

jamesyc avatar Jul 31 '25 10:07 jamesyc