UDP ?

[CloneRanger]

@ Prevx

Hi, i know i've mentioned it before, but i've just caught WRSA trying to get out via UDP, why is this ?

[PrevxHelp]

DNS lookups, which the OS performs on behalf of applications automatically.

[CloneRanger]

Hi, Ok thanks for that

Strange why it should want to use UDP though, when ASFAIK it shouldn't do normally ?

[Techfox1976]

Quote:

Originally Posted by CloneRanger

Hi, Ok thanks for that

Strange why it should want to use UDP though, when ASFAIK it shouldn't do normally ?

?
DNS Lookups are normally done via UDP and have been for decades.

RFC 1035 ( http://tools.ietf.org/html/rfc1035 ), circa 1987
Section 4.2.1 P3:
"UDP is not acceptable for zone transfers, but is the recommended method
for standard queries in the Internet."

*Pulls out his Old Network Engineer cane, "You kids these days and yer newfangled AAAA records! Get off my lawn!"

[CloneRanger]

Quote:

Originally Posted by Techfox1976

DNS Lookups are normally done via UDP and have been for decades

Learn something new every day, Thanks

It's curious that even though my FW blocks those UDP attempts, i don't have a problem surfing etc !

[Techfox1976]

Quote:

Originally Posted by CloneRanger

Learn something new every day, Thanks

It's curious that even though my FW blocks those UDP attempts, i don't have a problem surfing etc !

UDP is the recommended manner per the RFC, but it can and will fall back to TCP if UDP doesn't work. The downside is the overhead in TCP in doing so.

There's also a chance that your firewall is "inside" the system level of DNS, in which case it wouldn't see or block the normal system-level DNS lookups that can be tampered with by malware (and the hosts file). Or it could normally ignore the system-level DNS lookups.

[CloneRanger]

@ Techfox1976

Thanks a LOT for the info

How would i establish if "my firewall is "inside" the system level of DNS" ? I'm using ZA v.5.5.062.000 Don't laugh

[Techfox1976]

Quote:

Originally Posted by CloneRanger

@ Techfox1976

Thanks a LOT for the info

How would i establish if "my firewall is "inside" the system level of DNS" ? I'm using ZA v.5.5.062.000 Don't laugh

If the firewall can log "all" traffic, look for stuff from the System process (PID 0) to the DNS server set in your network config, port 53 UDP or TCP. Or any process other than WSA for that matter. Just loading a web page should initiate a request or seven for each page.

[AMIGA500]

Quote:

Originally Posted by CloneRanger

@ Techfox1976

Thanks a LOT for the info

How would i establish if "my firewall is "inside" the system level of DNS" ? I'm using ZA v.5.5.062.000 Don't laugh

Your ZA is due a major update lol.

[CloneRanger]

Quote:

Originally Posted by Beethoven1770

Your ZA is due a major update lol.

Ya think

@ Techfox1976

Sorry for the delay in replying ! Apart from WRSA which i allow, Zemana also tries out via that route, even though i have ALL the options set NOT to ? so i disallow it. Apart from those i always see this, when logging on, which i allow.

Quote:

Description Generic Host Process for Win32 Services requested permission to access the internet.
Rating High
Date / Time 2013/03/05 05:41:20-5:00 GMT
Type Repeat Program
Program C:\WINDOWS2\System32\svchost.exe
Source IP
Destination IP 0.0.0.0:53
Direction Outgoing (connect)
Action Taken Allowed (once)/Manual
Count 1
Source DNS
Destination DNS

AFAIK that's normal.

[Techfox1976]

Generic Host Process, which contains the DNS resolver. If that ever gets blocked, doooom shall be the result.