On a DELL PowerEdge T110 II, the pre-installed Windows Server 2012 R2 (foundation edition) keeps requesting the page limwinsemea02.mfg.ie.dell.com over http port 80. We know this because of a firewall log, which registers ~250k blocked requests in a few months. So far I failed to figure out which service/startup component/process is causing this. What do I need to configure, uninstall or disable, to make this "phone home" behavior stop without affecting normal server operation?
EDIT: sysinternals process monitor revealed this:
port 80 was a wrong interpretation or assumption. it is a UDP send towards 163.244.79.191 on the well-known port "netbios-ns" (decimal 137). That IP is in a range assigned to "Dell, Inc.".
PID 4 = "System", Stack shows that besides ntoskrnl.exe, netbt.sys and tdx.sys are involved.
I understand now that the netbios protocol is involved, but why (and where) is it configured to flood that DELL address with multiple connects per second?
EDIT 2: wherever the domain or IP address is stored, it is not in the registry. or scrambled.
I'm reasonably certain that Process Monitor from sysinternals will allow you capture data to show which process is making the DNS request for that location.
If you use it to capture network activity, you'll see the PID and process name. Then look for UDP packets, you'll have to enter 'source IP:53' going to the DNS server and then the actual domain - I strongly suspect you'll have to faff about a bit with this to get it going right though sorry.
Protocol that uses port 137 (netbios name resolution) works using broadcasts within confines of local LAN. It's not routable. Many people using VPN to their workplace complain about not being able to resolve their work computers network names and are presented with ideas to host one or more DNS servers here and there to overcome this limitation. Or buy a specific VPN router that allows SMB over VPN.
The last time I saw someone opening their port 137 (8 or 9) to the public network was around 1998-1999 when we used dial-up internet on POTS lines, effectively opening ourselves to everyone, oh, the nostalgia. So DELL probably does not have it open.
In the light of this, I see slim possibility that this is intentional "home phoning". System process PID4, which hosts some network services, lets NetBios (SMB) bombard everyone it can from its port 137, in order to e.g. announce server's netbios name and node type. Then connection is left for a short time in some ending-state, e.g. TIME_WAIT. The real question is why the heck MS still allows Windows to do, what 16 years ago was regarded as stupid (see 7th and 8th post in this thread for mention of firewall logs being full of dropped SMB connections).
I think some app on your server might have been searching for updates and that's how server cached this IP, which then was a subject of NetBios's behavior which really is the culprit IMHO.