Excessive DNS lookups by ESS ( & DNS cache poisoning)

Discussion in 'ESET Smart Security' started by Stem, Mar 3, 2009.

Thread Status:
Not open for further replies.
  1. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello,

    I have been trying to find the reason for the reported problems of the "DNS cache poisoning" reports and I am starting to think this is due to excessive amounts of DNS lookup performed by "ekrn.exe" and "egui.exe". For lack of better wording, they are completely bonkers.

    These lookups consisted of repeated reverse lookups of my DNS IPs 26 in succession, each lookup was replied to, then a lookup of u56.eset.com, which was replied to directly, but the firewall then sent out a further 20 DNS lookups for the same site not waiting for a response, after the replies arrived, the firewall then sent out another 20 DNS lookups for u56.eset.com and u40.eset.com again not waiting for replies,and even with replies the lookups where repeatably made over and over again.

    At the time I was just browsing one site.

    Below is just a small snippet of the firewall log, I have your applications placed with specific rules for DNS lookups.



    03/03/2009 09:05:32 192.168.1.101:2107 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:05:32 0.0.0.0:2107 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:05:32 0.0.0.0:2106 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:05:32 192.168.1.101:2106 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:05:25 192.168.1.101:2105 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
    03/03/2009 09:05:25 0.0.0.0:2105 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
    03/03/2009 09:05:25 192.168.1.101:2105 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:05:25 0.0.0.0:2105 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:05:21 0.0.0.0:2105 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
    03/03/2009 09:05:21 192.168.1.101:2105 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:05:21 0.0.0.0:2105 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:05:21 192.168.1.101:2105 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
    03/03/2009 09:05:19 192.168.1.101:2105 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:05:19 0.0.0.0:2105 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:05:18 0.0.0.0:2105 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
    03/03/2009 09:05:18 192.168.1.101:2105 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
    03/03/2009 09:05:17 0.0.0.0:2105 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:05:17 192.168.1.101:2105 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:04:52 192.168.1.101:2097 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
    03/03/2009 09:04:52 0.0.0.0:2097 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
    03/03/2009 09:04:52 192.168.1.101:2089 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
    03/03/2009 09:04:52 192.168.1.101:2089 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
    03/03/2009 09:04:52 192.168.1.101:2089 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
    03/03/2009 09:04:52 0.0.0.0:2089 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
    03/03/2009 09:04:52 192.168.1.101:2081 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
    03/03/2009 09:04:52 192.168.1.101:2081 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
    03/03/2009 09:04:52 192.168.1.101:2081 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
    03/03/2009 09:04:52 0.0.0.0:2081 194.168.8.100:53 UDP Allow communication for ekrn.exe(2)
    03/03/2009 09:04:31 0.0.0.0:2101 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:04:31 192.168.1.101:2101 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:04:31 192.168.1.101:2097 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:04:31 192.168.1.101:2097 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:04:31 0.0.0.0:2097 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:04:31 192.168.1.101:2089 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:04:31 192.168.1.101:2089 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:04:31 192.168.1.101:2081 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:04:31 192.168.1.101:2081 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:04:31 192.168.1.101:2081 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:04:31 0.0.0.0:2089 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:04:31 192.168.1.101:2089 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:04:31 192.168.1.101:2089 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:04:31 192.168.1.101:2081 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:04:31 0.0.0.0:2081 194.168.4.100:53 UDP Allow communication for ekrn.exe
    03/03/2009 09:04:30 0.0.0.0:2100 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:30 192.168.1.101:2100 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:29 0.0.0.0:2099 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:29 192.168.1.101:2099 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:28 0.0.0.0:2098 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:28 192.168.1.101:2098 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:21 192.168.1.101:2096 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:21 0.0.0.0:2096 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:21 192.168.1.101:2095 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:21 0.0.0.0:2095 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:17 0.0.0.0:2094 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:17 192.168.1.101:2093 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:17 0.0.0.0:2093 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:17 192.168.1.101:2094 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:15 192.168.1.101:2092 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:15 0.0.0.0:2092 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:14 0.0.0.0:2091 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:14 192.168.1.101:2091 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:13 0.0.0.0:2090 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:13 192.168.1.101:2090 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:06 192.168.1.101:2088 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:06 0.0.0.0:2088 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:06 192.168.1.101:2087 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:06 0.0.0.0:2087 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:02 0.0.0.0:2086 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:02 192.168.1.101:2085 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:02 0.0.0.0:2085 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:02 192.168.1.101:2086 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:00 192.168.1.101:2084 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:04:00 0.0.0.0:2084 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:03:59 0.0.0.0:2083 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:03:59 192.168.1.101:2083 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:03:58 192.168.1.101:2082 194.168.4.100:53 UDP Allow communication for egui.exe
    03/03/2009 09:03:58 0.0.0.0:2082 194.168.4.100:53 UDP Allow communication for egui.exe
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Excessive DNS lookups by ESS

    Well I must admit the firewall is picking out my lazy attempts to fool it into thinking I am making a late DNS reply.

    UDP packets dropped due to;-

    1/ Incorrect UDP packet length
    2/ Detected unexpected data in protocol


    Interesting. Will continue.


    - Stem
     
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Excessive DNS lookups by ESS

    OK,


    I can now confirm that a late DNS reply will give an alert of "DNS cache poisoning"

    That along with the excessive amounts of DNS requests being sent out by ESS and the possible late replies due to that will give a lot of warnings.


    EDIT:

    ESET: Why do your applications contained in ESS make so many DNS lookups?,... must be a bug


    - Stem
     
    Last edited: Mar 3, 2009
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    This is actually ridiculous,
    I was offline, then decided to check my e-mail. The response from the firewall was to make 27 DNS lookups, making repeated reverse lookups for the DNS server and DNS lookups for my e-mail.


    This needs fixing, this is basically flooding the ISP DNS servers

    - Stem
     
  5. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Hi Stem,

    I'm curious, do you have 'Resolve host names' enabled or disabled, and does it make any difference either way?

    Screenshot - 4_03_2009 , 3_48_28 AM.png

    Cheers :)
     
  6. stratoc

    stratoc Guest

    i shall follow this with interest, the firewall has been doing it since it was released. eset support told me it was my router and to ignore it? to be honest, i have never used a software firewall before and am still confused about there effectiveness (if any) as eset's is so light i kept it anyway. please keep up your test and thanks.
    http://samspade.org/d/firewalls.html
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello,

    I have just restored a previous image as I want to make any windows updates needed. I will re-install ESS later and check the setting.
    If that is enabled by default, then it would of been set, but I would still have the question as to why so many lookups.


    - Stem
     
  8. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    That is off by default. But I got curious and looked at my OpenDNS statistics but couldn't find a mention of many DNS queries. Ever query was once per visit.

    EDIT: Yet I do have excessive queries to wpad.home?
     
    Last edited: Mar 4, 2009
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi,

    I have been looking more at this, and find that the excessive DNS outbounds are related (on this setup) to my setting custom rules for DNS access on a per application basis.

    After allowing a global rule for the DNS lookups, the problem with the excessive DNS lookups stopped.


    - Stem
     
  10. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Hi Stem,

    Thanks for the postback of course - glad to know it wasn't serious.

    Cheers :)
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I presume you refer to the "DNS cache poisoning attack" logs?


    Possible, but unlikely, certainly after having the same alerts and checking.

    Good advice.


    The only way I have found up to now to cause the firewall to give such an alert ("DNS cache poisoning attack" ) is to send a "DNS reply" to a closed port, single packets to closed ports are of no concern and IMHO think such packets should simply be dropped by default.



    - Stem
     
Thread Status:
Not open for further replies.