Help -way too many outbound DNS(port53) requests.

Discussion in 'malware problems & news' started by soundwash, Apr 19, 2007.

Thread Status:
Not open for further replies.
  1. soundwash

    soundwash Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    5
    Hi people. -I'm pretty good with pc's, however..

    I need to know if there are any new virus/worms or malware
    that use dns requests to do their dirty work.

    for about 2 weeks now, my firewall (commodo) has been flagging alot outbound dns (port53) queries being sent to my router's address.
    the only pattern i can is that all the programs sending the requests
    typically hook into winsock32 (have the abilty to talk to the net or
    ethernet)

    I do not usually run a virus/malware scanner on my system as i am
    pro-active in what goes in and out of my system. (browse with firefox with java disabled and NoScript running. plus, -i surf shady websites
    from with a VM)

    -however booting off a DOS boot CD with the latest mcafee.dat's and doing a full system scan comes up clean as do several online scanners.

    malware scans with ad-aware came clean as well. -nothing too notable
    in hijackthis either..

    anyone have a clue why just about any program that has net capabilty
    always gets flagged for an outbound port 53 UDP request when it first starts..?

    thank you,
    -s
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    Request to where?
    Do you have the IP? If it's IANA, you have nothing to work about.
    Mrk
     
  3. soundwash

    soundwash Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    5
    as i said all requests are directed to my routers address (192.168.1.1)
    none have ever had any other IP attached

    thing is, this just started about 2 weeks ago. with no changes made to
    the firewall's settings. everytime i open a browser it flags... and occasionally
    any program that any kind of networking ability will (for updates or whatever) will also trigger..even if not in use. includ

    just wondering if there are any known exploits using client side dns queries.
    havent really found any. most seem to deal with servers. (i have the server service disabled, as well as the dns client service etc..

    -or is Commodo firewall bugged..?

    -s
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    You did not say. You did not state the IP in your first post.
    192.168.1.1 is IANA local address subnet. It's normal. Especially since you have disabled the DNS cache. Which means your computer needs to ask for IP address translations every time it tries to connect to a domain.
    I hope I'm clear enough.
    Mrk
     
  5. soundwash

    soundwash Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    5
    fair enough, i stated it went to my routers address, which i just figured one would assume is an internal address. i should not have left any information to question in these matters. i was being lazy at the moment. -my apologies.

    -anyway, yes i'm aware i should get the queries every now and then, but
    the question still remains:

    why has my firewall suddenly started spamming me with outbound dns warnings for every internet capable program i use. -when in the past,
    i saw maybe 2-3 warnings a week, if that... *shrug*

    maybe i'll look into the firewall, see if it has any
    known bugs that would cause it to scrutinize dns queries
    at an exagerated rate out of the blue without intervention..

    -s






    -s
     
  6. herbalist

    herbalist Guest

    Have you changed your proxy settings or any of your network settings before this started? From what you describe, it appears that Comodo is doing its job, but it sounds like you need to add your router or modems IP to your DNS rules. Most internet-able apps use DNS the same way as your browser, but this oftens happens in the background without the user being aware of it. Many of them check for updates when launched.

    You mentioned that this started about 2 weeks ago and you didn't change any firewall settings. Is your router integrated with your modem or a separate piece of hardware? Many DSL modems are modem/router units combined. If it is a combined unit and your ISP can change its settings, they might have changed an address setting to one not covered by your existing firewall rules.

    Don't look at firewall alerts as spam, even if they're annoying at times. They're either telling you about new activity or that your configuration needs work.
    Rick
     
  7. wat0114

    wat0114 Guest

    Just log onto your router's web based interface and check the the primary/secondary ip addresses of the DNS servers. They should match what your ISP is using. Because you have disabled your DNS client service, all of your individual network accessing applications require DNS lookups. Comodo is simply alerting you to this. Probably this is nothing to worry about, but do check to ensure the DNS ip addresses on your router's WAN interface match those of your ISP.

    The ip for the DNS querries is reflecting your router's LAN side probably because a "DNS relay" type option is enabled in the router.

    Almost forgot...yes, this can happen. That is why it is important to verify the ip addresses in your router's WAN interface to ensure they reflect your ISP's DNS servers.

    It is as a long time since trying Comodo, but somewhere you may have disabled the option to "Automatically allow DNS querries" in Comodo? Just a theory. Either that, or you just recently disabled the DNS client service.
     
    Last edited by a moderator: Apr 21, 2007
  8. soundwash

    soundwash Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    5
    hi people,
    -thanks for the replies

    i'll respond in full tonight. (8-9hrs from now?)

    running late and just saw the notification.

    -s
     
Loading...
Thread Status:
Not open for further replies.