linux

Why does the host utility make a UDP request to 127.0.0.1 on arbitrary ports?

Hello.

Debian 10
Opensnitch Firewall 1.4.0rc3
Domain names have been replaced or obscured.

In September 2021, I made a request through the host utility (/usr/bin/host) and after executing the command:

$ host -t txt _dmarc.domain.ru
Host _dmarc.domain.ru not found: 3(NXDOMAIN)

opensnitch firewall blocks UDP request from /usr/bin/host at 127.0.0.1:45671

I can't figure out what this extra request is?
If this is a normal situation, then where in the source code can you see the functionality of this connection? I searched did not find.
Thank you.

Additional information for September 2021:

$ cat /etc/debian_version
10.10

$ cat /etc/resolv.conf
nameserver 10.139.1.1
nameserver 10.139.1.2

$ sudo netstat -nlptu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address State PID/Program name
tcp        0      0 127.0.0.1:631           0.0.0.0:* LISTEN   569/cupsd
tcp6       0      0 ::1:631                 :::* LISTEN      569/cupsd

$ dpkg -S /usr/bin/host
bind9-host: /usr/bin/host

$ dpkg -L bind9-host
/.
/usr
/usr/bin
/usr/bin/host
/usr/share
/usr/share/doc
/usr/share/doc/bind9-host
/usr/share/doc/bind9-host/changelog.Debian.gz
/usr/share/doc/bind9-host/changelog.gz
/usr/share/doc/bind9-host/copyright
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/host.1.gz

$ apt show bind9-host
Package: bind9-host
Version: 1:9.11.5.P4+dfsg-5.1+deb10u5
Priority: standard
Section: net
Source: bind9
Maintainer: Debian DNS Team <[email protected]>
Installed-Size: 368 kB
Provides: host
Depends: libbind9-161 (= 1:9.11.5.P4+dfsg-5.1+deb10u5), libdns1104 (= 1:9.11.5.P4+dfsg-5.1+deb10u5), libisc1100 (= 1:9.11.5.P4+dfsg-5.1+deb10u5), libisccfg163 (= 1:9.11.5.P4+dfsg-5.1+deb10u5), liblwres161 (= 1:9.11.5.P4+dfsg-5.1+deb10u5), libc6 (>= 2.14), libcap2 (>= 1:2.10), libcom-err2 (>= 1.43.9), libfstrm0 (>= 0.2.0), libgeoip1, libgssapi-krb5-2 (>= 1.6.dfsg.2), libidn2-0 (>= 2.0.0), libjson-c3 (>= 0.10), libk5crypto3 (>= 1.6.dfsg.2), libkrb5-3 (>= 1.6.dfsg.2), liblmdb0 (>= 0.9.6), libprotobuf-c1 (>= 1.0.0), libssl1.1 (>= 1.1.0), libxml2 (>= 2.6.27)
Homepage: https://www.isc.org/downloads/bind/
Tag: implemented-in::c, interface::commandline, network::client,
network::service, protocol::dns, protocol::ssl, role::program
Download-Size: 271 kB
APT-Manual-Installed: yes
APT-Sources: https://deb.debian.org/debian buster/main amd64 Packages
Description: служба DNS (более не рекомендуется)
Этот пакет устанавливает /usr/bin/host, позволяющую устанавливать соответствия между
доменными именами и IP-адресами, из поставки BIND 9.X.
.
Эта утилита считается устаревшей, используйте dig или delv из пакета dnsutils.

Screenshots - https://disk.yandex.ru/d/T5hAN6Kw9JSqcA
1-host-events.jpg - https://disk.yandex.ru/d/T5hAN6Kw9JSqcA/1-host-eve...
2-host-nodes .jpg - https ://disk.yandex.ru/d/T5hAN6Kw9JSqcA/2-host-nod...

the owner of the resource requested that the real hostname not be used.

Screenshot description:

Screenshot "1-host-events.jpg"
2021-09-03 21:29:21.142442 - I make a request and get a response that the entry was not found.

$ host -t txt _dmarc.domain.ru
Хост _dmarc.domain.ru не найден: 3 (NXDOMAIN)

2021-09-03 21:29:21.160897 - A UDP connection to 127.0.0.1 on port 45671 is initiated the same second.

The "2-host-nodes.jpg" screenshot shows a bit more information about this connection. For some reason, the LastConnection time on the "Nodes" tab in the firewall is incorrect, so we don't take it into account.
The second screenshot shows that the connection was made to ip address 127.0.0.1, while other normal requests go to local DNS servers 10.139.1.1
In the screenshot "2-host-nodes.jpg" two identical requests in the command line are highlighted in red and green , but with different values ​​in the DstIp, DstHost, DstPort columns.

This is the first time I see /usr/bin/host trying to connect to port 127.0.0.1:45671.
Help me figure out what it is and why? I did not find any mention of port 45671 in the sources.

---

Also today, February 9, 2022, I found 2 more connection attempts on 127.0.0.1.

Screenshot - https://disk.yandex.ru/d/T5hAN6Kw9JSqcA/host_conne...
UDP connection attempt to 127.0.0.1:37195
$ host garors.com

Screenshot - https://disk.yandex.ru/d/T5hAN6Kw9JSqcA/host_conne...
attempt UDP connections to 127.0.0.1:50504

$ host ya.ru
ya.ru has address 87.250.250.242
ya.ru has IPv6 address 2a02:6b8::2:242
ya.ru mail is handled by 10 mx.yandex.ru.

Please tell me why such connections are created?

Additional information as of February 9, 2022:

$ cat /etc/resolv.conf
nameserver 10.139.1.1
nameserver 10.139.1.2

$ dpkg -S /usr/bin/host
bind9-host: /usr/bin/host


$ dpkg -l | grep bind9-host
ii  bind9-host                                    1:9.11.5.P4+dfsg-5.1+deb10u5                 amd64        DNS lookup utility (deprecated)


$ apt show bind9-host -a
Package: bind9-host
Version: 1:9.11.5.P4+dfsg-5.1+deb10u6
Priority: standard
Section: net
Source: bind9
Maintainer: Debian DNS Team <[email protected]>
Installed-Size: 368 kB
Provides: host
Depends: libbind9-161 (= 1:9.11.5.P4+dfsg-5.1+deb10u6), libdns1104 (= 1:9.11.5.P4+dfsg-5.1+deb10u6), libisc1100 (= 1:9.11.5.P4+dfsg-5.1+deb10u6), libisccfg163 (= 1:9.11.5.P4+dfsg-5.1+deb10u6), liblwres161 (= 1:9.11.5.P4+dfsg-5.1+deb10u6), libc6 (>= 2.14), libcap2 (>= 1:2.10), libcom-err2 (>= 1.43.9), libfstrm0 (>= 0.2.0), libgeoip1, libgssapi-krb5-2 (>= 1.6.dfsg.2), libidn2-0 (>= 2.0.0), libjson-c3 (>= 0.10), libk5crypto3 (>= 1.6.dfsg.2), libkrb5-3 (>= 1.6.dfsg.2), liblmdb0 (>= 0.9.6), libprotobuf-c1 (>= 1.0.0), libssl1.1 (>= 1.1.0), libxml2 (>= 2.6.27)
Homepage: https://www.isc.org/downloads/bind/
Download-Size: 271 kB
APT-Sources: https://deb.debian.org/debian-security buster/updates/main amd64 Packages
Description: служба DNS (более не рекомендуется)
 Этот пакет устанавливает /usr/bin/host, позволяющую устанавливать соответствия между
 доменными именами и IP-адресами, из поставки BIND 9.X.
 .
 Эта утилита считается устаревшей, используйте dig или delv из пакета dnsutils.

Package: bind9-host
Version: 1:9.11.5.P4+dfsg-5.1+deb10u5
Priority: standard
Section: net
Source: bind9
Maintainer: Debian DNS Team <[email protected]>
Installed-Size: 368 kB
Provides: host
Depends: libbind9-161 (= 1:9.11.5.P4+dfsg-5.1+deb10u5), libdns1104 (= 1:9.11.5.P4+dfsg-5.1+deb10u5), libisc1100 (= 1:9.11.5.P4+dfsg-5.1+deb10u5), libisccfg163 (= 1:9.11.5.P4+dfsg-5.1+deb10u5), liblwres161 (= 1:9.11.5.P4+dfsg-5.1+deb10u5), libc6 (>= 2.14), libcap2 (>= 1:2.10), libcom-err2 (>= 1.43.9), libfstrm0 (>= 0.2.0), libgeoip1, libgssapi-krb5-2 (>= 1.6.dfsg.2), libidn2-0 (>= 2.0.0), libjson-c3 (>= 0.10), libk5crypto3 (>= 1.6.dfsg.2), libkrb5-3 (>= 1.6.dfsg.2), liblmdb0 (>= 0.9.6), libprotobuf-c1 (>= 1.0.0), libssl1.1 (>= 1.1.0), libxml2 (>= 2.6.27)
Homepage: https://www.isc.org/downloads/bind/
Tag: implemented-in::c, interface::commandline, network::client,
 network::service, protocol::dns, protocol::ssl, role::program
Download-Size: 271 kB
APT-Manual-Installed: yes
APT-Sources: https://deb.debian.org/debian buster/main amd64 Packages
Description: служба DNS (более не рекомендуется)
 Этот пакет устанавливает /usr/bin/host, позволяющую устанавливать соответствия между
 доменными именами и IP-адресами, из поставки BIND 9.X.
 .
 Эта утилита считается устаревшей, используйте dig или delv из пакета dnsutils.


[email protected]:~$ md5sum /usr/bin/host
9baaed6fcefa9c5528534d5996b2a886  /usr/bin/host


$ sudo netstat -nlptu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      632/cupsd           
tcp6       0      0 ::1:631                 :::*                    LISTEN      632/cupsd