Re: DNS queries in Windows XP Professional (SP2)
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 23 Mar 2006 18:50:19 -0600
My guess is it is nothing to worry about though you may want to search
Google for "Zone Alarm forum" for more specific information. I think ZA is
probably the best personal firewall for the vast majority of computer users
as it is fairly simple to setup and use which is important. If you want to
try something else I always liked Sygate as a more advanced personal
firewall. I don't know if it is free anymore however though it should still
be free to try. Sygate has extensive logging capabilities. See the link
below if you want to try it out. --- Steve
http://www.tucows.com/preview/213160
"twixt" <twixt@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A8FEC21F-80DA-485C-8550-CE5BEFECA2EC@xxxxxxxxxxxxxxxx
I think it's a bug in the firewall (ZoneAlarm). It is logging traffic to
other servers as traffic on port 53.
Whether this is purely a problem in logging or whether it is a fundamental
problem with the engine underneath, I have no idea. Anyway I'll take it
up
with them.
In the meantime, anyone know of a good software firewall?
"twixt" wrote:
Dan and Steven, thanks for your posts.
Dan:
The DNS servers assigned by my ISP are 202.92.94.131 and 203.82.162.7.
When
I try nslookup for valid hosts I do receive an answer but it is stamped
"Non-authoritative answer:". Whereas if I try a non-existent it returns
"can't find www.zxcv.com.au: Non-existent domain".
Steven:
Thanks for your reassurance.
I appreciate the tips about HTTPS and doing malware and spyware scans in
safe mode. I haven't ever scanned in safe mode (but I am religious about
keeping my definition files up to date). Is it possible for scans in
normal
mode to miss things? I understand that it is sometimes necessary to go
to
safe mode to get rid of certain infections once you've discovered them.
But
would the same scans in normal mode miss things?
As to Ethereal, I have decided to learn greek. I think I've got the
capturing part down. I am using this capture filter: "dst port 53 and
not
host 202.92.94.131 and not 203.82.162.7". So far Ethereal shows the
captured
traffic as "Standard query A www.microsoft.com". Should I be satisfied
with
the fact that Ethereal says it is a "Standard query"?
Thanks for your time.
"Steven L Umbach" wrote:
I have noticed that on my laptop and would not worry about it if
legitimate
applications are doing the requests. I have not really looked into it
but my
guess is that the application is somehow [I don't know exactly how
offhand]
specifying the DNS server to use instead of the default one specified
in
tcp/ip properties. Ethereal would show if they are DNS queries or not
sine
DNS queries are very simple. The DNS client asks the DNS server for the
IP
address of a host computer and the DNS server usually either provides
the IP
address or says it can not be found. There could be a risk if a
malicious
application could tell your computer to use a bogus DNS server that has
bogus records that return the incorrect IP address to your computer.
This
and other reasons are why it is very important to make sure you have an
https SSL secure website connection before you enter any sensitive
information into a web request. You will always see that bogus phishing
attempts to redirect you to a bogus website are not using https SSL
when
asking for sensitive information.
You can try to use ping -a to find more information about the
destination
server and DNS servers usually start with ns or such in their name.
When you
do your scans for malware and spyware be sure you are using the latest
definitions for each program and that you also occasionally scan in
Safe
Mode. --- Steve
http://www.arin.net/whois/ --- also use this link to find information
on
public IP which may or may not be of help.
"twixt" <twixt@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8C77973D-FD2D-4B12-A363-5E09E36A2F2C@xxxxxxxxxxxxxxxx
My firewall is logging frequent attempts by programs on my computer
(such
as
Lotus Notes, Firefox or the Spooler SubSystem App
(c:\windows\system32\spoolsv.exe) to communicate with (seemingly
random)
servers on the internet on port 53. They are not attempting to access
the
DNS servers configured in my network settings.
Does this mean that I have some sort of infection?
I have scanned my hard disk with several anti-virus and anti-malware
programs and have so far discovered nothing ominous.
Is there a way of discovering whether they are doing genuine dns
queries
or
not? I had a quick look at Ethereal for example. Unfortunately with
my
level of knowledge the output was all greek to me. (Make that ancient
greek
mixed with higher, pure mathematics.)
Are programs running on XP supposed to use some sort of Windows
process to
do DNS lookups? Are they supposed to only query those DNS servers in
the
network configuration (see ipconfig /all) or is it normal for every
(reputable) program to do their own lookups to their favourite DNS
servers?
.
- References:
- Re: DNS queries in Windows XP Professional (SP2)
- From: Steven L Umbach
- Re: DNS queries in Windows XP Professional (SP2)
- From: twixt
- Re: DNS queries in Windows XP Professional (SP2)
- From: twixt
- Re: DNS queries in Windows XP Professional (SP2)
- Prev by Date: Re: who's on...
- Next by Date: numlock @ logon
- Previous by thread: Re: DNS queries in Windows XP Professional (SP2)
- Next by thread: Re: DNS queries in Windows XP Professional (SP2)
- Index(es):
Relevant Pages
|
