Help -way too many outbound DNS(port53) requests.

Hi people. -I'm pretty good with pc's, however..

I need to know if there are any new virus/worms or malware
that use dns requests to do their dirty work.

for about 2 weeks now, my firewall (commodo) has been flagging alot outbound dns (port53) queries being sent to my router's address.
the only pattern i can is that all the programs sending the requests
typically hook into winsock32 (have the abilty to talk to the net or
ethernet)

I do not usually run a virus/malware scanner on my system as i am
pro-active in what goes in and out of my system. (browse with firefox with java disabled and NoScript running. plus, -i surf shady websites
from with a VM)

-however booting off a DOS boot CD with the latest mcafee.dat's and doing a full system scan comes up clean as do several online scanners.

malware scans with ad-aware came clean as well. -nothing too notable
in hijackthis either..

anyone have a clue why just about any program that has net capabilty
always gets flagged for an outbound port 53 UDP request when it first starts..?

thank you,
-s

 

Hello,
Request to where?
Do you have the IP? If it's IANA, you have nothing to work about.
Mrk

 

as i said all requests are directed to my routers address (192.168.1.1)
none have ever had any other IP attached

thing is, this just started about 2 weeks ago. with no changes made to
the firewall's settings. everytime i open a browser it flags... and occasionally
any program that any kind of networking ability will (for updates or whatever) will also trigger..even if not in use. includ

just wondering if there are any known exploits using client side dns queries.
havent really found any. most seem to deal with servers. (i have the server service disabled, as well as the dns client service etc..

-or is Commodo firewall bugged..?

-s

 

Hello,
You did not say. You did not state the IP in your first post.
192.168.1.1 is IANA local address subnet. It's normal. Especially since you have disabled the DNS cache. Which means your computer needs to ask for IP address translations every time it tries to connect to a domain.
I hope I'm clear enough.
Mrk

 

fair enough, i stated it went to my routers address, which i just figured one would assume is an internal address. i should not have left any information to question in these matters. i was being lazy at the moment. -my apologies.

-anyway, yes i'm aware i should get the queries every now and then, but
the question still remains:

why has my firewall suddenly started spamming me with outbound dns warnings for every internet capable program i use. -when in the past,
i saw maybe 2-3 warnings a week, if that... *shrug*

maybe i'll look into the firewall, see if it has any
known bugs that would cause it to scrutinize dns queries
at an exagerated rate out of the blue without intervention..

-s






-s

 

Have you changed your proxy settings or any of your network settings before this started? From what you describe, it appears that Comodo is doing its job, but it sounds like you need to add your router or modems IP to your DNS rules. Most internet-able apps use DNS the same way as your browser, but this oftens happens in the background without the user being aware of it. Many of them check for updates when launched.

You mentioned that this started about 2 weeks ago and you didn't change any firewall settings. Is your router integrated with your modem or a separate piece of hardware? Many DSL modems are modem/router units combined. If it is a combined unit and your ISP can change its settings, they might have changed an address setting to one not covered by your existing firewall rules.

Don't look at firewall alerts as spam, even if they're annoying at times. They're either telling you about new activity or that your configuration needs work.
Rick

 

Just log onto your router's web based interface and check the the primary/secondary ip addresses of the DNS servers. They should match what your ISP is using. Because you have disabled your DNS client service, all of your individual network accessing applications require DNS lookups. Comodo is simply alerting you to this. Probably this is nothing to worry about, but do check to ensure the DNS ip addresses on your router's WAN interface match those of your ISP.

The ip for the DNS querries is reflecting your router's LAN side probably because a "DNS relay" type option is enabled in the router.

Almost forgot...yes, this can happen. That is why it is important to verify the ip addresses in your router's WAN interface to ensure they reflect your ISP's DNS servers.

It is as a long time since trying Comodo, but somewhere you may have disabled the option to "Automatically allow DNS querries" in Comodo? Just a theory. Either that, or you just recently disabled the DNS client service.

 

hi people,
-thanks for the replies

i'll respond in full tonight. (8-9hrs from now?)

running late and just saw the notification.

-s