| Author |
Message |
Alix
Guest
|
 Posted:
Fri Dec 09, 2005 4:14 pm Post subject:
Advice pls on what is happening on my system |
|
|
BACKGROUND
I am on a cable connection in the UK with no other PCs or printers
attached. I use FILSECLAB's personal firewall.
I downloaded and installed "TreeWalk DNS" a week ago on my XP Pro
system. As I am in the UK I also installed the "ORSC Slave-Root"
package. I have to say I am not particularly familiar with the
technical details of DNS lookups.
OBSERVATIONS
Today I booted up. Before I manually launched anything I saw the
following entries shown below in my firewall monitor.
These entries have worried me because for the last week my PC has
been hesitating for several seconds before connecting to servers such
as (http://www.google.com or an NNTP news servrer) for the first
time. Subsequent connections seems as fast as usual.
Spybot (latest version with latest updates) reports nothing.
QUESTIONS FOR ANYONE
1: Which entries below are expected and which are unusual?
2: Have I got some subtle malware on my system?
3: How can I track back from these entries to find what programs
invoked NAMED.EXE to make these network connections?
4: Should I remove Treewalk or does it make no difference?
For the time being I have put these into my hosts file in order to
restrain them from connecting.
Thank you for any help.
-------- LIST OF SELECTED FIREWALL MONITOR ENTRIES --------
NOTES:
(1) There were often several entries for each IP address but I have
listed only one.
(2) My IP address with port 1025 was always shown for each of these
entries
(3) The program associated with each entry was always Treewalk's
NAMED.EXE.
(4) In most cases, 70 bytes were sent and none received but for
192.5.6.30 (for which the IP lookup keeps failing) there was as much
as 10 KB of traffic in each direction!
(5) Sadly I can't find out anything for 194.54.112.30/FLUETANO.
=====
38.113.2.100 :53
Jerky Network Services, Mass
199.166.26.100 :53
VRx Network Services Inc. server=JFWHOME.FUNHOUSE.COM
199.166.29.100 :53
VRx Network Services Inc. server=JFWHOME.FUNHOUSE.COM
199.166.31.100 :53
VRx Network Services Inc. server=JFWHOME.FUNHOUSE.COM
194.54.112.30 :53
FLUENTANO, Hostmaster Bergen Nett og Media, Norway
193.0.14.129 :53
Subnet for k.root-servers.net
192.5.6.30 :53
a.gtld-servers.net [sent 10595 bytes & received 11369 bytes]
192.26.92.30 :53
VeriSign Global Registry
192.26.92.32 :53
VeriSign Global Registry
192.33.14.30 :53
Verisign
198.41.0.4 :53
Verisign
202.12.29.59 :53
Asia Pacific Network Information Center, Australia
216.239.34.10 :53
Google [I have Google Desktop Search]
------- END LIST OF SELECTED FIREWALL MONITOR ENTRIES -------- |
|
| Back to top |
|
 |
Volker Birk
Guest
|
| Posted:
Fri Dec 09, 2005 5:21 pm Post subject:
Re: Advice pls on what is happening on my system |
|
|
In comp.security.firewalls Alix <alix@alix.com> wrote:
| Quote: | I am on a cable connection in the UK with no other PCs or printers
attached. I use FILSECLAB's personal firewall.
I downloaded and installed "TreeWalk DNS" a week ago on my XP Pro
system. As I am in the UK I also installed the "ORSC Slave-Root"
package. I have to say I am not particularly familiar with the
technical details of DNS lookups.
|
Yes.
| Quote: | OBSERVATIONS
Today I booted up. Before I manually launched anything I saw the
following entries shown below in my firewall monitor.
|
Port 53 are DNS requests. Why are you using such tools, if you don't
understand what they're monitoring?
The Windows-Firewall will be enough to be secure against network worms.
If you want to learn more about networking and the TCP/IP protocol familiy,
Craig Hunt's "TCP/IP" (O'Reilly) and this one could help:
http://en.wikipedia.org/wiki/TCP/IP
http://en.wikipedia.org/wiki/Internet
Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister |
|
| Back to top |
|
|
Jason Edwards
Guest
|
| Posted:
Fri Dec 09, 2005 5:21 pm Post subject:
Re: Advice pls on what is happening on my system |
|
|
"Volker Birk" <bumens@dingens.org> wrote in message
news:43997025@news.uni-ulm.de...
| Quote: | In comp.security.firewalls Alix <alix@alix.com> wrote:
I am on a cable connection in the UK with no other PCs or printers
attached. I use FILSECLAB's personal firewall.
I downloaded and installed "TreeWalk DNS" a week ago on my XP Pro
system. As I am in the UK I also installed the "ORSC Slave-Root"
package. I have to say I am not particularly familiar with the
technical details of DNS lookups.
Yes.
OBSERVATIONS
Today I booted up. Before I manually launched anything I saw the
following entries shown below in my firewall monitor.
Port 53 are DNS requests. Why are you using such tools, if you don't
understand what they're monitoring?
|
Possibly to gain an understanding of what they are monitoring.
It's true that driving a car is a bad idea if you don't know how to drive.
But if you never drive one at all then you'll never learn how.
Jason
| Quote: |
The Windows-Firewall will be enough to be secure against network worms.
If you want to learn more about networking and the TCP/IP protocol
familiy,
Craig Hunt's "TCP/IP" (O'Reilly) and this one could help:
http://en.wikipedia.org/wiki/TCP/IP
http://en.wikipedia.org/wiki/Internet
Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister |
|
|
| Back to top |
|
|
Jerry Gardner
Guest
|
| Posted:
Sat Dec 10, 2005 12:59 am Post subject:
Re: Advice pls on what is happening on my system |
|
|
On Fri, 09 Dec 2005 10:14:50 GMT, Alix wrote:
| Quote: | 38.113.2.100 :53
Jerky Network Services, Mass
199.166.26.100 :53
VRx Network Services Inc. server=JFWHOME.FUNHOUSE.COM
199.166.29.100 :53
VRx Network Services Inc. server=JFWHOME.FUNHOUSE.COM
199.166.31.100 :53
VRx Network Services Inc. server=JFWHOME.FUNHOUSE.COM
|
What do these log entries mean? That your firewall dropped packets
from these addresses/ports? For the sake of this post, I'll assume
they do. If this is the case, then you need to configure your firewall
to allow your machine to pass outbound traffic to UDP port 53 on any
external IP address and to admit the replies from the same IP:port
combinations.
DNS uses UDP port 53 (and sometimes TCP port 53) in its normal
operation. Blocking this port will cause problems.
--
Jerry Gardner
jg2-usenet@gardnerclan.net |
|
| Back to top |
|
|
Alix
Guest
|
| Posted:
Sat Dec 10, 2005 1:52 am Post subject:
Re: Advice pls on what is happening on my system |
|
|
On Fri 09 Dec 2005 18:59:28, Jerry Gardner <jg2@gardnerclan.net>
wrote:
| Quote: | On Fri, 09 Dec 2005 10:14:50 GMT, Alix wrote:
38.113.2.100 :53
Jerky Network Services, Mass
199.166.26.100 :53
VRx Network Services Inc. server=JFWHOME.FUNHOUSE.COM
199.166.29.100 :53
VRx Network Services Inc. server=JFWHOME.FUNHOUSE.COM
199.166.31.100 :53
VRx Network Services Inc. server=JFWHOME.FUNHOUSE.COM
What do these log entries mean? That your firewall dropped
packets from these addresses/ports? For the sake of this post,
I'll assume they do. If this is the case, then you need to
configure your firewall to allow your machine to pass outbound
traffic to UDP port 53 on any external IP address and to admit
the replies from the same IP:port combinations.
DNS uses UDP port 53 (and sometimes TCP port 53) in its normal
operation. Blocking this port will cause problems.
|
BUT why is the DNS server being asked to resolve IP addresses which
have names that I have never heard of and whose services/products I
have never taken no want to? |
|
| Back to top |
|
|
Moe Trin
Guest
|
| Posted:
Sat Dec 10, 2005 1:58 am Post subject:
Re: Advice pls on what is happening on my system |
|
|
On Fri, 09 Dec 2005, in the Usenet newsgroup comp.security.firewalls, in article
<9727683DD319D51D7E@66.250.146.159>, Alix wrote:
| Quote: | I am on a cable connection in the UK with no other PCs or printers
attached.
I downloaded and installed "TreeWalk DNS" a week ago on my XP Pro
system.
|
Remember that. By the way, why did you do this?
| Quote: | I have to say I am not particularly familiar with the technical details
of DNS lookups.
|
Then the 'Grasshopper' book ('DNS & BIND', Paul Albitz and Cricket Liu,
O'Reilly and Assoc., 4th edition, ISBN 0-596-00158-4, 622 pgs, US$45) is
probably far to complex, though it has more than enough details. Section
5.1 of the Linux 'DNS-HOWTO' (find it at hundreds of sites on the web)
should give the background you are missing.
| Quote: | These entries have worried me because for the last week my PC has
been hesitating for several seconds before connecting to servers such
as (http://www.google.com or an NNTP news servrer) for the first
time. Subsequent connections seems as fast as usual.
|
Think it might have something to do with installing "TreeWalk DNS"? You
would be right.
| Quote: | 1: Which entries below are expected and which are unusual?
|
They look normal for a DNS server. Why are you running one?
| Quote: | 2: Have I got some subtle malware on my system?
|
PEBCAK (Problem Exists Between Chair And Keyboard)
| Quote: | 4: Should I remove Treewalk or does it make no difference?
|
Or at least disable it, and use your ISP's name servers like everyone else.
| Quote: | (4) In most cases, 70 bytes were sent and none received but for
192.5.6.30 (for which the IP lookup keeps failing) there was as much
as 10 KB of traffic in each direction!
|
Those are mainly top level domain servers - which you should not be
bothering. A normal name server caches this information resulting in
a tiny fraction of the loads. Your box is asking the same questions
all the time, rather than getting the information from cache. That
explains your delays.
Old guy |
|
| Back to top |
|
|
Jerry Gardner
Guest
|
| Posted:
Sat Dec 10, 2005 3:59 am Post subject:
Re: Advice pls on what is happening on my system |
|
|
On Fri, 09 Dec 2005 19:52:23 GMT, Alix wrote:
| Quote: | BUT why is the DNS server being asked to resolve IP addresses which
have names that I have never heard of and whose services/products I
have never taken no want to?
|
This happens all the time when you browse the web. Sites typically
link to ad servers (doubleclick.com is a common one) and graphics
servers and any number of other things. Opening a single site may
cause dozens of name lookups as each separate element on the page may
be a link to a different site.
--
Jerry Gardner
jg2-usenet@gardnerclan.net |
|
| Back to top |
|
|
Jerry Gardner
Guest
|
| Posted:
Sat Dec 10, 2005 3:59 am Post subject:
Re: Advice pls on what is happening on my system |
|
|
On Fri, 09 Dec 2005 13:58:48 -0600, Moe Trin wrote:
| Quote: | 4: Should I remove Treewalk or does it make no difference?
Or at least disable it, and use your ISP's name servers like everyone else.
|
Speak for yourself. There are plenty of reasons to set up and use your
own DNS server rather than use your ISP's. Performance and reliability
are one. My DSL provider, SBC, is notorious for its flakey, slow DNS
servers, so I run my own. I get much better performance and nearly
100% reliability.
Setting up and managing a caching DNS server is not rocket
science. Anyone with reasonable computer experience can do it.
--
Jerry Gardner
jg2-usenet@gardnerclan.net |
|
| Back to top |
|
|
Barry Margolin
Guest
|
| Posted:
Sat Dec 10, 2005 8:19 am Post subject:
Re: Advice pls on what is happening on my system |
|
|
In article <9727CA28ED1AC51D7E@66.250.146.159>, Alix <alix@alix.com>
wrote:
| Quote: | On Fri 09 Dec 2005 18:59:28, Jerry Gardner <jg2@gardnerclan.net
wrote:
On Fri, 09 Dec 2005 10:14:50 GMT, Alix wrote:
38.113.2.100 :53
Jerky Network Services, Mass
199.166.26.100 :53
VRx Network Services Inc. server=JFWHOME.FUNHOUSE.COM
199.166.29.100 :53
VRx Network Services Inc. server=JFWHOME.FUNHOUSE.COM
199.166.31.100 :53
VRx Network Services Inc. server=JFWHOME.FUNHOUSE.COM
What do these log entries mean? That your firewall dropped
packets from these addresses/ports? For the sake of this post,
I'll assume they do. If this is the case, then you need to
configure your firewall to allow your machine to pass outbound
traffic to UDP port 53 on any external IP address and to admit
the replies from the same IP:port combinations.
DNS uses UDP port 53 (and sometimes TCP port 53) in its normal
operation. Blocking this port will cause problems.
BUT why is the DNS server being asked to resolve IP addresses which
have names that I have never heard of and whose services/products I
have never taken no want to?
|
Jerky Network Services and VRx Network Services sound like ISPs or
hosting services. They're probably hosting the DNS of sites that you
were accessing. There's no reason you would recognize these hosting
services, any more than you would expect to know the name of the
trucking company that delivers meat to your grocery.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me *** |
|
| Back to top |
|
|
Moe Trin
Guest
|
| Posted:
Sat Dec 10, 2005 11:59 pm Post subject:
Re: Advice pls on what is happening on my system |
|
|
On Fri, 09 Dec 2005, in the Usenet newsgroup comp.security.firewalls, in article
<slrndpju6d.2gu.jg2@gatekeeper.gardnerclan.net>, Jerry Gardner wrote:
| Quote: | Moe Trin wrote:
Or at least disable it, and use your ISP's name servers like everyone else.
Speak for yourself. There are plenty of reasons to set up and use your
own DNS server rather than use your ISP's. Performance and reliability
are one.
|
You trimmed two lines where the O/P wrote:
| Quote: | I am on a cable connection in the UK with no other PCs or printers
attached.
I downloaded and installed "TreeWalk DNS" a week ago on my XP Pro
system.
|
Single system running windoze (almost certainly part time)
verses
| Quote: | User-Agent: slrn/0.9.8.1 (Linux) Hamster-Pg/1.22.1.0
|
Use 'ps auxw' and look at the amount of cache memory your name server is
using. Your system is remembering stuff up to the TTL, while his 'Treewalk'
does not. This dramatically improves response, and lessens the load on the
top level domain servers. The cache on our servers at work (about 1700
systems) runs about 160 Megabytes, and no, most of our in-house name
resolution is using NIS host maps.
| Quote: | My DSL provider, SBC, is notorious for its flakey, slow DNS servers,
|
Yeah - that's PacBell, and crap DNS is only a tip of the iceberg.
| Quote: | so I run my own. I get much better performance and nearly 100% reliability.
|
Do you get a reduced rate or charge them back for the lousy service?
| Quote: | Setting up and managing a caching DNS server is not rocket
science. Anyone with reasonable computer experience can do it.
|
Yes - I've been doing so since bind-4.9.3, but not everyone is running
ISC Bind (or even DJBdns, MaraDNS, pdnsd, or Posadis). Even cable modems
often run a caching name server, but not a standalone windoze box.
Old guy |
|
| Back to top |
|
|
GI
Guest
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in