Strange CUPS attempts

[SeaDude]

I get these CUPS attempts at least 1x / session.

I thought CUPS was a printer protocol...?

Most are not from recognizable URLS, they are usually go to arpa something or other...

[SeaDude]

Some more:

[SeaDude]

[gustavo-iniguez-goya]

hi @SeaDude ,

That seems a collision of IPs and domains. Those domains seem to be cached with the IP 127.0.0.53.

Could you add a rule to allow connections from dnsmasq, systemd-resolved, etc to 127.0.0.53 and port 53?
Remove existing rule to allow the stub resolver, and when it prompts you to allow a DNS request select those fields from the popup.

And restart the daemon.

[wasv]

The two arpa domains are totally normal to see. Domains ending in .arpa are mostly used to map ip addresses to domain names (instead of domain names to ip addresses like usual).
The parts of the IP addresses are in reverse order in the domain so that if someone ones all of 129.21.x.x they can be assigned 21.129.in-addr.arpa and any subdomains.
In your case, its trying to see if theres a domain name associated with 172.10.20.14 or fe80::[something]. Both of those are private addresses on your LAN. My assumption is that cups is trying to see if a device on your network has a hostname it can display instead of just an IP address.

Source: https://www.iana.org/domains/arpa

The youtubei.googleapis.net one is quite strange though. That I do not have an explanation for and likely warrants some deeper investigation.

[evilsocket]

I think it's related :) https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/