Inbounds blocked due to Internet Servers

Discussion in 'other firewalls' started by CloneRanger, May 18, 2011.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I see a LOT of these every day

    ff-za.gif

    From my FW log

    It's not just FF either, it can be other Apps as well.

    Why would my DNS want connect to my comp via Internet servers ?

    TIA
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The log does not actually make sense. You are showing the source as your IP:53, with no inbound destination (Firefox is not a DNS server and will not use local port 53)
    That could indicate a late DNS reply, or an interception due to internal DNS cache by the firewall, or a possible security feature of said firewall performing DNS lookups.


    Not enough info to correctly determine what is happening


    edit:
    Forgot to ask. What is the log from, is it from Zonealarm by any chance?



    - Stem
     
    Last edited: May 18, 2011
  3. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    @ Stem - it does look like ZA display that makes no sense to me either

    @cloneranger,
    It'll help if
    1. you select one of these lines and show what the entire text looks like. At least in the ZA that I used it was at the bottom, or
    2, \windows\interneto_O directory has ZA log so post the text of relevant lines
    3. in ZA, you need to list DNS servers in the permited zone
    other than that, the posted log makes no sense to me either, and in your several recent interesting posts your own IP always equals your ISP's IP and I have a hard time understanding that. And now it might even be the same as the DNS servers.
    4. Perhaps if you post results of ipconfig /all it would help
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    To me niether :(

    Wierd ?

    What would be ?

    Yes, ZoneAlarm free version:5.5.062.000 = None of the nag etc stuff later versions have :D

    How & where ? Not sure if that can be done with my version ?

    ipc.gif
     

    Attached Files:

    • ipc.gif
      ipc.gif
      File size:
      9 KB
      Views:
      371
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I know there was a problem with ZA, where it would block UDP DNS replies. The workaround put forward at the time, was to place the DNS servers in the trusted zone.

    I do not know if that was fixed or not in the later versions.


    - Stem
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Ah, so it "might" be related ?

    FYI

    I've done this

    zlc.gif

    To "hopefully" try & prevent ZA phoning home, as it was reported a few years ago that it did :( Could that in Any way cause issues to normal use ?
     
  7. wat0114

    wat0114 Guest

    Considering this version was released on November 8, 2004, and most releases since then containing "fixes", it wouldn't surprise me in the least if it isn't working correctly nearly 7 years later.
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    With the version you are using I would think so.

    Quite a while since I looked at ZA, but I think there should be a zone tab where IPs can be entered and a Zone selected.

    ZA always had its own Applications with hard_coded rules, so they cannot be blocked in its own firewall.

    - Stem
     
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    :D

    You're right there is,

    add.gif

    except it's greyed out on the Programs tab & can't be clicked on :( but info can be entered on the seperate Firewall Tab, which is not where i see my ISP's DNS entries. So it "appears" that avenue is not applicable ?

    Oh, Ok

    I did what moonblood suggested and allowed Trusted Server for this & FF

    gen.gif

    Also changed these settings like this for now

    t.gif

    Niether of those changes seem to make any difference, still getting those FF DNS in blocks ?

    dns x 2.gif

    My FW shows 2 very slightly different entries for the DNS, the difference is the fourth number, by just 3 last digits.
     
  10. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    Aren t you the one that was saying in some thread that without a firewall everything is fine and good ,no atacks.
    Now you ve changed your mind ?!
     
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Yeah that's me, thanks for remembering ;)

    No, because when i said had no attacks, i was talking about ACTUAL intrusions, of which there were none :)

    Still not getting any ACTUAL intrusions, just attempted ones. Don't know why ? but i do !
     
  12. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    Maybe you got infected during the experiments ?!
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    You know what, it's always possible ! Fortunately i was using ShadowDefender though, so i think it's highly unlikely. Plus i've scanned with various Apps/Tools etc which all show clean. But nothings 100% i acknowledge, & should i discover something/s i'll Definately post about it :thumb:
     
  14. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You really have issues with nicknames, don't you? :-* Wouldn't that be user act8192? :p (Check post #3)
     
  15. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Not "Really" :p Have you noticed any others ?

    Indeed it would be, in this case, so thanks for pointing it out :thumb: & appologies & thanks :thumb: to act8192
     
  16. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    @CloneRanger,
    Your first screen shot in this thread reminded me something. I think the weird log has to do with loopback which you were probably blocking. Just a WILD GUESS. But it still doesn't look right.

    So, just a reminder (if you haven't read the 5.4 manual recently): ZA, besides yourIP/255.255.255.0 and DNS and DHCP servers likes to see localhost 127.0.0.1 in the zones tab as trusted, so that applications which use loopback will work. IE always needs it, and I think FireFox does as well. Opera does not talk to itself. Several MS applications need it as well. It's a global setting, no fine control over which apps get it and which don't unless you do rules in the paid version.
     
  17. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    You might have a backdoor ,you should reinstall the OS.
     
  18. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ act8192

    Re - Loopback

    Thanks for the info :thumb: I'll check it out :)

    Ya think :eek:
     
  19. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    Yep.
    You can t stay with no firewall on and not get something ,it s against the nature of the internets :)
     
  20. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Re Loopback

    You might be right. The thing is i can't manipilate my FW zones as the option to do so is greyed out :(

    127.gif

    Not recently ;)

    NFC = :thumbd: But i can't expect all the features of the paid ! Amazingly in spite of All the blocks my FW does, in & out, i'm still able to surf & DL etc etc with no problems :)

    I would like to get to the bottom of it, but alas no such luck yet :(

    Thanks :thumb:


    As i said before, i was using SD though ;) And since those tests, i am now using my FW :thumb:
     
  21. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    You have LOCK ENABLED. Unlock it.
    In a good installation, IIRC, ZA would add loopback automatically. Your ZA database may be mangled by now. Yikes. It is clear though from the text you posted that loopback is in the picture for FireFox. I'll see if I can find in my backups whether you can have those buttons enabled. I'm sure you can, 'cause I've used that version for a long time, but I still need a reminder :)
     
  22. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    The problem with wide open loopback is that IF and only if you use local host proxy (NOD, Avast, Avira, Privoxy....) it's a good idea to block the proxy port from apps you don't want to sneak out to the wild, mean, web. If you don't use local host proxy it's no issue at all. Me thinks.

    What is NFC?
     
  23. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    FROM v 4.5 user guide, older than your v5 ;)
    To add a single IP address:
    1. Select Firewall|Zones.
    2. Click Add, then select IP address from the shortcut menu.
    The Add IP Address dialog appears.
    3. Select Trusted from the Zone drop-down list.
    4. Type the IP address and a description in the boxes provided, then click OK.

    I have one screen shot from v6.1 where the context menu gave me trusted/internet options - looks like right click the line you're entering for localhost.
     
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I think it's no fine control.
     
  25. wat0114

    wat0114 Guest

    It takes time to understand, more or less, what all this Internet "noise" is about, but you'll soon discover the majority of it is harmless. You can also forget the back door and infection theories :rolleyes: The logs posted so far show absolutely nothing to indicate this has happened.

    An example is attached of what you might see tons of, especially if you are not behind a router. I'm behind one but because there are other computers on it, i see quite a few of these harmless broadcasts that Win fw blocks anyway on a near daily basis.

    Let's even assume, for a moment, that hypothetically you had no firewall. It doesn't automatically mean others can access your file system at will. You'd have to have file and printer sharing enabled, amongst other sharing options enabled, or an active infection opening up a gateway for others to venture through.
     

    Attached Files:

    Last edited by a moderator: May 23, 2011
Loading...
Thread Status:
Not open for further replies.