Re: Norton NIS autoblocks cable modem DNS Scan

On Mar 12, 7:24 pm, "RedForeman" <RedFore...@xxxxxxxxx> wrote:
On Mar 7, 5:03 pm, development...@xxxxxxxxx wrote:

Hi all

The problem I have is this: every few hours, one of the computers (any
not a particular one) will have a partial failure of internet
I can't browse the web but email, skype and FTP still work. After
30 minutes the problem rights itself. The other computers in the
network don't usually experience this problem in the same time (i.e.
they are fine except the one that does't work). I thought my router
has a hardware problem but then I noticed that every time the problem
happens, just before it my NIS 2003 reports a "portscan" of (domain 53-> this means port 53, I gather).
I have a 3COM router and win2k home network of PC's.

Apparently it is because the NIS2003 autoblocks the for 30
minutes after each
'attack'. I can only assume that this is some kind of periodicDNS
ping by the system.

With the aid of this useful site,

I learnt that for cable modems I might have to add the Default gateway
(the site refers to the 'modem' address but If I have a router I am
guessing that is the same)
to the trusted zone (perhaps at least for port 53?)
Or I could set up a rule for NIS2003 to trust all traffic on port 53,
does anyone know which is safer?

If I set to be a trusted address, doesn't that mean that
attacks could originate
from there?

I can set it to allow only port 53 from, but is thisDNS
request TCP,UDP, both or ICMP?

What would be the least security vulnerable solution?


Below is additional configuration info.

I have tried to have the PC's configured statically (withDNS
as well as DHCP automatic config, it doesn't imrove the issue.
If I disable NIS 2003 and then immediately enable it, internet
I scanne all open ports with a web security site and it reports that
only port 113 is closed (the rest are stealthed).

NIS (Norton internet security) 2003. All
PC's in the network have Win2k, SP5 IE6 SP1, and NIS 2003 with all of
the updates. L2TP Cable internet is through 3Com wireless
Officeconnect 3CRWE554G72T router.

FWIW, I used to be a field service technician and one of the biggest
hassles I faced were PCs with NIS installed. IMO, any computer that
has NIS installed, and the user is a techie-geek like me, would be
better off using something much less frustrating than NIS, usually,
independant software that isn't integrated together like NIS. NAV is
great... but the package suite is way too fluffy and bloats the OS
pretty bad. Needless to say, to uninstall it sometimes causes even
MORE problems...

good luck- Hide quoted text -

- Show quoted text -

Thank you for replying. However all I would like to know whether this
phenomenon is an attack or it can be safely given an "allow" rule in
NIS. I get it 10-15 times a day now,
all from (the router address of course) and every time
from a different port (1000-5000). If I tell NIS to allow all traffic
from said IP, that is the same as disabling NIS altogether, isn't it?