Inbounds blocked due to Internet Servers

I see a LOT of these every day



From my FW log

It's not just FF either, it can be other Apps as well.

Why would my DNS want connect to my comp via Internet servers ?

TIA

 

The log does not actually make sense. You are showing the source as your IP:53, with no inbound destination (Firefox is not a DNS server and will not use local port 53)

That could indicate a late DNS reply, or an interception due to internal DNS cache by the firewall, or a possible security feature of said firewall performing DNS lookups.


Not enough info to correctly determine what is happening


edit:
Forgot to ask. What is the log from, is it from Zonealarm by any chance?



- Stem

 

@ Stem - it does look like ZA display that makes no sense to me either

@cloneranger,
It'll help if
1. you select one of these lines and show what the entire text looks like. At least in the ZA that I used it was at the bottom, or
2, \windows\internet directory has ZA log so post the text of relevant lines
3. in ZA, you need to list DNS servers in the permited zone
other than that, the posted log makes no sense to me either, and in your several recent interesting posts your own IP always equals your ISP's IP and I have a hard time understanding that. And now it might even be the same as the DNS servers.
4. Perhaps if you post results of ipconfig /all it would help

 

To me niether

Wierd ?

What would be ?

Yes, ZoneAlarm free version:5.5.062.000 = None of the nag etc stuff later versions have

How & where ? Not sure if that can be done with my version ?

 

I know there was a problem with ZA, where it would block UDP DNS replies. The workaround put forward at the time, was to place the DNS servers in the trusted zone.

I do not know if that was fixed or not in the later versions.


- Stem

 

Ah, so it "might" be related ?

FYI

I've done this



To "hopefully" try & prevent ZA phoning home, as it was reported a few years ago that it did Could that in Any way cause issues to normal use ?

 

Considering this version was released on November 8, 2004, and most releases since then containing "fixes", it wouldn't surprise me in the least if it isn't working correctly nearly 7 years later.

 

With the version you are using I would think so.

Quite a while since I looked at ZA, but I think there should be a zone tab where IPs can be entered and a Zone selected.

ZA always had its own Applications with hard_coded rules, so they cannot be blocked in its own firewall.

- Stem

 

You're right there is,



except it's greyed out on the Programs tab & can't be clicked on but info can be entered on the seperate Firewall Tab, which is not where i see my ISP's DNS entries. So it "appears" that avenue is not applicable ?

Oh, Ok

I did what moonblood suggested and allowed Trusted Server for this & FF



Also changed these settings like this for now



Niether of those changes seem to make any difference, still getting those FF DNS in blocks ?



My FW shows 2 very slightly different entries for the DNS, the difference is the fourth number, by just 3 last digits.

 

Aren t you the one that was saying in some thread that without a firewall everything is fine and good ,no atacks.
Now you ve changed your mind ?!

 

Yeah that's me, thanks for remembering

No, because when i said had no attacks, i was talking about ACTUAL intrusions, of which there were none

Still not getting any ACTUAL intrusions, just attempted ones. Don't know why ? but i do !

 

Maybe you got infected during the experiments ?!

 

You know what, it's always possible ! Fortunately i was using ShadowDefender though, so i think it's highly unlikely. Plus i've scanned with various Apps/Tools etc which all show clean. But nothings 100% i acknowledge, & should i discover something/s i'll Definately post about it

 

You really have issues with nicknames, don't you? Wouldn't that be user act8192? (Check post #3)

 

Not "Really" Have you noticed any others ?

Indeed it would be, in this case, so thanks for pointing it out & appologies & thanks to act8192

 

@CloneRanger,
Your first screen shot in this thread reminded me something. I think the weird log has to do with loopback which you were probably blocking. Just a WILD GUESS. But it still doesn't look right.

So, just a reminder (if you haven't read the 5.4 manual recently): ZA, besides yourIP/255.255.255.0 and DNS and DHCP servers likes to see localhost 127.0.0.1 in the zones tab as trusted, so that applications which use loopback will work. IE always needs it, and I think FireFox does as well. Opera does not talk to itself. Several MS applications need it as well. It's a global setting, no fine control over which apps get it and which don't unless you do rules in the paid version.

 

You might have a backdoor ,you should reinstall the OS.

 

@ act8192

Re - Loopback

Thanks for the info I'll check it out

Ya think

 

Yep.
You can t stay with no firewall on and not get something ,it s against the nature of the internets

 

Re Loopback

You might be right. The thing is i can't manipilate my FW zones as the option to do so is greyed out

Not recently

NFC = But i can't expect all the features of the paid ! Amazingly in spite of All the blocks my FW does, in & out, i'm still able to surf & DL etc etc with no problems

I would like to get to the bottom of it, but alas no such luck yet

Thanks

As i said before, i was using SD though And since those tests, i am now using my FW

 

You have LOCK ENABLED. Unlock it.
In a good installation, IIRC, ZA would add loopback automatically. Your ZA database may be mangled by now. Yikes. It is clear though from the text you posted that loopback is in the picture for FireFox. I'll see if I can find in my backups whether you can have those buttons enabled. I'm sure you can, 'cause I've used that version for a long time, but I still need a reminder

 

The problem with wide open loopback is that IF and only if you use local host proxy (NOD, Avast, Avira, Privoxy....) it's a good idea to block the proxy port from apps you don't want to sneak out to the wild, mean, web. If you don't use local host proxy it's no issue at all. Me thinks.

What is NFC?

 

FROM v 4.5 user guide, older than your v5
To add a single IP address:
1. Select Firewall|Zones.
2. Click Add, then select IP address from the shortcut menu.
The Add IP Address dialog appears.
3. Select Trusted from the Zone drop-down list.
4. Type the IP address and a description in the boxes provided, then click OK.

I have one screen shot from v6.1 where the context menu gave me trusted/internet options - looks like right click the line you're entering for localhost.

 

I think it's no fine control.

 

It takes time to understand, more or less, what all this Internet "noise" is about, but you'll soon discover the majority of it is harmless. You can also forget the back door and infection theories The logs posted so far show absolutely nothing to indicate this has happened.

An example is attached of what you might see tons of, especially if you are not behind a router. I'm behind one but because there are other computers on it, i see quite a few of these harmless broadcasts that Win fw blocks anyway on a near daily basis.

Let's even assume, for a moment, that hypothetically you had no firewall. It doesn't automatically mean others can access your file system at will. You'd have to have file and printer sharing enabled, amongst other sharing options enabled, or an active infection opening up a gateway for others to venture through.