System is SCO Openserver 5.0.2, connected to private network with 3 routers
and two kilostream links, plus ISDN dial-up to internet with NAT.
I have what (to me at least) seems to be a strange problem. I recently
added internet access to our network, using the ISDN and NAT capabilities
of one of our routers. The only incoming connection allowed is for SMTP
mail. To allow for DNS to work properley, I have set up our internal DNS
with pointers to Demons name servers.
The problem is, the internet link started opening every 15 minutes, regular
as clockwork. Looking at the NAT entries in the router I found that the
cause was TCP packets from the openserver machine on port 53 (DNS)
addressed to 220.127.116.11. I have checked everything I can think of
(including dumping the DNS database with sigint) and cannot find any
reference to this address.
The only hint I do have is that a maintainer temporarily used this address
on one of the remote routers when setting up another link. However, this
address has been removed, all the routers have been restarted, the OS5
machine has been restarted - but the problem persists.
As a temporary measure, I configured the router to block these packets
(which seem to come in groups of nine) - and after a day or so they
stopped. But after re-booting the OS5 machine, they started again and then
stopped after a day or two.
Can anyone suggest a possible cause, or hints at where to look ?