UDP ?

Discussion in 'Prevx Releases' started by CloneRanger, Feb 24, 2013.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Prevx

    Hi, i know i've mentioned it before, but i've just caught WRSA trying to get out via UDP, why is this ?

    wrsa.png
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    DNS lookups, which the OS performs on behalf of applications automatically.
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hi, Ok thanks for that :thumb:

    Strange why it should want to use UDP though, when ASFAIK it shouldn't do normally ?
     
  4. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    ?
    DNS Lookups are normally done via UDP and have been for decades.

    RFC 1035 ( http://tools.ietf.org/html/rfc1035 ), circa 1987
    Section 4.2.1 P3:
    "UDP is not acceptable for zone transfers, but is the recommended method
    for standard queries in the Internet."

    *Pulls out his Old Network Engineer cane, "You kids these days and yer newfangled AAAA records! Get off my lawn!"
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Learn something new every day, Thanks :thumb:

    It's curious that even though my FW blocks those UDP attempts, i don't have a problem surfing etc !
     
  6. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    UDP is the recommended manner per the RFC, but it can and will fall back to TCP if UDP doesn't work. The downside is the overhead in TCP in doing so.

    There's also a chance that your firewall is "inside" the system level of DNS, in which case it wouldn't see or block the normal system-level DNS lookups that can be tampered with by malware (and the hosts file). Or it could normally ignore the system-level DNS lookups.
     
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Techfox1976

    Thanks a LOT for the info :thumb:

    How would i establish if "my firewall is "inside" the system level of DNS" ? I'm using ZA v.5.5.062.000 Don't laugh ;)
     
  8. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    If the firewall can log "all" traffic, look for stuff from the System process (PID 0) to the DNS server set in your network config, port 53 UDP or TCP. Or any process other than WSA for that matter. Just loading a web page should initiate a request or seven for each page.
     
  9. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,871
    Your ZA is due a major update lol.
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Ya think :D

    @ Techfox1976

    Sorry for the delay in replying ! Apart from WRSA which i allow, Zemana also tries out via that route, even though i have ALL the options set NOT to ? so i disallow it. Apart from those i always see this, when logging on, which i allow.

    AFAIK that's normal.
     
  11. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Generic Host Process, which contains the DNS resolver. If that ever gets blocked, doooom shall be the result.
     
Thread Status:
Not open for further replies.