10 Replies Latest reply: Dec 9, 2013 1:53 PM by victor99
omfowler Level 1 Level 1

I have a relatively fresh install of Mountain Lion on a new MBP Retina.


I recently installed iStat Menus to keep an eye on resource usage and noticed that there is around 70KB of network activity every 15 minutes or so.  It's pretty continual and lasts for around 5 minutes.  This is with no user/foreground applications running.


I was curious about what the traffic was, so I installed Wireshark to take a look at the traffic.  I left a capture running for a while until I grabbed the activity in question.


Looking at the capture decode, it looks like the traffic is made up entirely of DNS queries to e3191.c.akamaiedge.net over TCP.  The queries come from the Mac, and valid, non-error responses come back from my router. Then the same query is made again.  Over and over.


It's not a big problem, but it does suggest that there's a bug with some piece of code.  I still don't know what's triggering the requests: something in OS X itself or some third-party code.


Has anyone seen behavior like this or have any idea what it might be about?  How about a way to narrow down the offending software?




MacBook Pro with Retina display
  • Linc Davis Level 10 Level 10

    That's a CDN used by Apple and Adobe, among others. Run "lsof -i" to see where the connections are coming from, if you care.

  • omfowler Level 1 Level 1

    Unfortunately, "lsof -i" doesn't show anything useful.  I assume this is because the connections are only up temporarily in order to make the query, after which they're immediately torn down again.


    I ran the command while the described network activity was in progress and just see this (none of these are the DNS traffic):


    $ lsof -i


    SystemUIS   278  omf    6u  IPv4 0x6ac3ab0520698871      0t0  UDP *:*

    SystemUIS   278  omf    8u  IPv4 0x6ac3ab0534df22d9      0t0  TCP localhost:65415->localhost:5204 (ESTABLISHED)

    SystemUIS   278  omf   11u  IPv4 0x6ac3ab0543a675f9      0t0  TCP localhost:65416->localhost:5204 (ESTABLISHED)

    SystemUIS   278  omf   12u  IPv4 0x6ac3ab054392d789      0t0  TCP localhost:65417->localhost:5204 (ESTABLISHED)

    NetworkBr   282  omf    5u  IPv4 0x6ac3ab051f9e81c9      0t0  UDP *:*

    ubd       22317  omf   20u  IPv4 0x6ac3ab0534fa45f9      0t0  TCP *:57279 (LISTEN)

    ubd       22317  omf   21u  IPv6 0x6ac3ab0521ebd899      0t0  TCP *:57279 (LISTEN)



    I ran Wireshark at the same time and saw the same continuous DNS queries for the Akamai CDN.


    Even if lsof did show the DNS query TCP connection, I doubt it would identify anything other than some core system process.  In most cases, the application would make a query to the OS, and the OS would execute the query.  As far as I know, lsof will only show which process established the connection, not which process initiated the query.

  • omfowler Level 1 Level 1

    I realized I should've used "sudo" after posting this, so I tried again and I do see the DNS query connection.  It comes from the process mDNSRespo running as "_mdnsresponder".  I imagine a standard DNS query initiated by any process would end up being handled by mDNSResponder?

  • Linc Davis Level 10 Level 10


  • omfowler Level 1 Level 1

    I have a better idea of what's happening:


    Every once in a while, I can't get on the Internet at home with my iOS devices.  Every time this happens, clearing out the DNS cache on my home router fixes the problem.  It has something to do with the DNS resolution for the Akamai CDN Apple uses, but I haven't taken the time to figure out exactly what's getting "stuck".


    While observing this continual-DNS-query issue on my MBP, I tried clearing the DNS cache on my home router and the traffic (queries) coming from the MBP immediately stopped.


    Whatever the issue is, it seems to be related to the same Akamai DNS weirdness I've seen in the past.


    The continual-DNS-query behavior is still a bug, I'd say, but at least I can dig into why clearing the router's DNS cache seems to fix the problem.

  • Flectabis Level 1 Level 1

    anything more on that topic? (idealy: how to disable the lookups)

    i often have to dig through pcap dumps and every time i see on of these queries it annoys me because they are completely useless. it's like asking a directory service for your moms phone number every ten minutes but only actually calling her once a year.

    make it go awaaaay o.O

  • Shootist007 Level 6 Level 6

    It's some software on your system checking the licensing and or making sure it can check the licensing. More then likely something from Adobe.

  • funman95 Level 1 Level 1

    It's for Xprotect (Apple's built in Anti-Malware Software)

  • Headphone_Jack Level 1 Level 1

    Apple uses Akamai for its content distribution (App Store downloads, Software-Updates, Xportect,...) and the DNS request you see is Akamai's technology to figure out what's the closest server to you to speed things up. So this is no bug or some hidden "home calling" feature which will threaten your privacy. There is no content or Usage Statistics in those messages. It's nothing bad, OS X is just very noisy.


    Second. Some of those DNS request are probably part of DNS-SD. A Zero-Configuration mechanism. Look here: http://en.wikipedia.org/wiki/Zero_configuration_networking#Service_discovery


    I think they are those PTR dr._dns-sd._udp.lan request with also a huge akamaiedge reply.


    You can disable this feature, here:


  • victor99 Level 1 Level 1

    That last link is not working.