Excessive DNS lookups by ESS ( & DNS cache poisoning)

[Stem]

Hello,

I have been trying to find the reason for the reported problems of the "DNS cache poisoning" reports and I am starting to think this is due to excessive amounts of DNS lookup performed by "ekrn.exe" and "egui.exe". For lack of better wording, they are completely bonkers.

These lookups consisted of repeated reverse lookups of my DNS IPs 26 in succession, each lookup was replied to, then a lookup of u56.eset.com, which was replied to directly, but the firewall then sent out a further 20 DNS lookups for the same site not waiting for a response, after the replies arrived, the firewall then sent out another 20 DNS lookups for u56.eset.com and u40.eset.com again not waiting for replies,and even with replies the lookups where repeatably made over and over again.

At the time I was just browsing one site.

Below is just a small snippet of the firewall log, I have your applications placed with specific rules for DNS lookups.



03/03/2009 09:05:32 192.168.1.101:2107 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:05:32 0.0.0.0:2107 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:05:32 0.0.0.0:2106 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:05:32 192.168.1.101:2106 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:05:25 192.168.1.101:2105 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
03/03/2009 09:05:25 0.0.0.0:2105 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
03/03/2009 09:05:25 192.168.1.101:2105 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:05:25 0.0.0.0:2105 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:05:21 0.0.0.0:2105 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
03/03/2009 09:05:21 192.168.1.101:2105 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:05:21 0.0.0.0:2105 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:05:21 192.168.1.101:2105 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
03/03/2009 09:05:19 192.168.1.101:2105 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:05:19 0.0.0.0:2105 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:05:18 0.0.0.0:2105 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
03/03/2009 09:05:18 192.168.1.101:2105 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
03/03/2009 09:05:17 0.0.0.0:2105 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:05:17 192.168.1.101:2105 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:04:52 192.168.1.101:2097 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
03/03/2009 09:04:52 0.0.0.0:2097 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
03/03/2009 09:04:52 192.168.1.101:2089 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
03/03/2009 09:04:52 192.168.1.101:2089 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
03/03/2009 09:04:52 192.168.1.101:2089 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
03/03/2009 09:04:52 0.0.0.0:2089 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
03/03/2009 09:04:52 192.168.1.101:2081 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
03/03/2009 09:04:52 192.168.1.101:2081 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
03/03/2009 09:04:52 192.168.1.101:2081 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
03/03/2009 09:04:52 0.0.0.0:2081 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
03/03/2009 09:04:31 0.0.0.0:2101 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:04:31 192.168.1.101:2101 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:04:31 192.168.1.101:2097 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:04:31 192.168.1.101:2097 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:04:31 0.0.0.0:2097 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:04:31 192.168.1.101:2089 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:04:31 192.168.1.101:2089 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:04:31 192.168.1.101:2081 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:04:31 192.168.1.101:2081 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:04:31 192.168.1.101:2081 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:04:31 0.0.0.0:2089 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:04:31 192.168.1.101:2089 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:04:31 192.168.1.101:2089 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:04:31 192.168.1.101:2081 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:04:31 0.0.0.0:2081 194.168.4.100:53 UDP Allow communication for ekrn.exe
03/03/2009 09:04:30 0.0.0.0:2100 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:30 192.168.1.101:2100 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:29 0.0.0.0:2099 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:29 192.168.1.101:2099 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:28 0.0.0.0:2098 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:28 192.168.1.101:2098 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:21 192.168.1.101:2096 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:21 0.0.0.0:2096 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:21 192.168.1.101:2095 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:21 0.0.0.0:2095 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:17 0.0.0.0:2094 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:17 192.168.1.101:2093 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:17 0.0.0.0:2093 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:17 192.168.1.101:2094 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:15 192.168.1.101:2092 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:15 0.0.0.0:2092 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:14 0.0.0.0:2091 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:14 192.168.1.101:2091 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:13 0.0.0.0:2090 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:13 192.168.1.101:2090 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:06 192.168.1.101:2088 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:06 0.0.0.0:2088 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:06 192.168.1.101:2087 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:06 0.0.0.0:2087 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:02 0.0.0.0:2086 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:02 192.168.1.101:2085 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:02 0.0.0.0:2085 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:02 192.168.1.101:2086 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:00 192.168.1.101:2084 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:04:00 0.0.0.0:2084 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:03:59 0.0.0.0:2083 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:03:59 192.168.1.101:2083 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:03:58 192.168.1.101:2082 194.168.4.100:53 UDP Allow communication for egui.exe
03/03/2009 09:03:58 0.0.0.0:2082 194.168.4.100:53 UDP Allow communication for egui.exe

[Stem]

Well I must admit the firewall is picking out my lazy attempts to fool it into thinking I am making a late DNS reply.

UDP packets dropped due to;-

1/ Incorrect UDP packet length
2/ Detected unexpected data in protocol


Interesting. Will continue.


- Stem

[Stem]

OK,


I can now confirm that a late DNS reply will give an alert of "DNS cache poisoning"

That along with the excessive amounts of DNS requests being sent out by ESS and the possible late replies due to that will give a lot of warnings.


EDIT:

ESET: Why do your applications contained in ESS make so many DNS lookups?,... must be a bug


- Stem

[Stem]

This is actually ridiculous,
I was offline, then decided to check my e-mail. The response from the firewall was to make 27 DNS lookups, making repeated reverse lookups for the DNS server and DNS lookups for my e-mail.


This needs fixing, this is basically flooding the ISP DNS servers

- Stem

[NOD32 user]

Quote:

Originally Posted by Stem

This is actually ridiculous,
I was offline, then decided to check my e-mail. The response from the firewall was to make 27 DNS lookups, making repeated reverse lookups for the DNS server and DNS lookups for my e-mail.


This needs fixing, this is basically flooding the ISP DNS servers

- Stem

Hi Stem,

I'm curious, do you have 'Resolve host names' enabled or disabled, and does it make any difference either way?



Cheers

i shall follow this with interest, the firewall has been doing it since it was released. eset support told me it was my router and to ignore it? to be honest, i have never used a software firewall before and am still confused about there effectiveness (if any) as eset's is so light i kept it anyway. please keep up your test and thanks.
http://samspade.org/d/firewalls.html

[Stem]

Quote:

Originally Posted by NOD32 user

I'm curious, do you have 'Resolve host names' enabled or disabled, and does it make any difference either way?

Hello,

I have just restored a previous image as I want to make any windows updates needed. I will re-install ESS later and check the setting.
If that is enabled by default, then it would of been set, but I would still have the question as to why so many lookups.


- Stem

[funkydude]

That is off by default. But I got curious and looked at my OpenDNS statistics but couldn't find a mention of many DNS queries. Ever query was once per visit.

EDIT: Yet I do have excessive queries to wpad.home?

[Stem]

Hi,

I have been looking more at this, and find that the excessive DNS outbounds are related (on this setup) to my setting custom rules for DNS access on a per application basis.

After allowing a global rule for the DNS lookups, the problem with the excessive DNS lookups stopped.


- Stem

[NOD32 user]

Quote:

Originally Posted by Stem

Hi,

I have been looking more at this, and find that the excessive DNS outbounds are related (on this setup) to my setting custom rules for DNS access on a per application basis.

After allowing a global rule for the DNS lookups, the problem with the excessive DNS lookups stopped.


- Stem

Hi Stem,

Thanks for the postback of course - glad to know it wasn't serious.

Cheers

[Stem]

Quote:

Originally Posted by stratoc

i shall follow this with interest, the firewall has been doing it since it was released.

I presume you refer to the "DNS cache poisoning attack" logs?

Quote:

Originally Posted by stratoc

eset support told me it was my router

Possible, but unlikely, certainly after having the same alerts and checking.

Quote:

Originally Posted by stratoc

and to ignore it?

Good advice.


The only way I have found up to now to cause the firewall to give such an alert ("DNS cache poisoning attack" ) is to send a "DNS reply" to a closed port, single packets to closed ports are of no concern and IMHO think such packets should simply be dropped by default.



- Stem