Broadband Tech > Security > Security > Firewall questions - DNS connections attempts

Firewall questions - DNS connections attempts

reply to Blue2
Thanks nwickert for the reply. Getting answers from my ISP (not to mention good ones) is just about impossible. They are not very security savvy.

So I guess it all comes down to this, this one address is indicated in ipconfig as my DHCP Server and my Default Gateway. So given that, would there be any reason to (1) NOT permit an INCOMING DNS request for connection from that address and (2) NOT permit OUTGOING connections from applications to that address on port 53 (DNS)?

In other words, should I continue to block requests like these or should I open up the Kerio ruleset to permit them? What I couldn't understand is why they are only very occassionally needed and ALWAYS at the onset of connection but not later.

23/Nov/2009 09:24:43 BLOCK OTHER DNS (log/alert) blocked; Out UDP; localhost:2622->(DHCP Server Address):53; Owner: C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 7.0\AVP.EXE

23/Nov/2009 09:24:27 BLOCK OTHER DNS (log/alert) blocked; Out UDP; localhost:3558->(DHCP Server Address):53; Owner: C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE

It is a very common practice for home routers to act as a DNS server, as well as a DHCP server. I'm not sure whether that applies in your circumstance. Typically the router forwards DNS requests to the real DNS servers.

In a business network, the routers (internet gateways) are usually dedicated appliance from Cisco and other similar router manufacturers. They usually do not do either DNS or DHCP. However, it is common practice to run a DHCP forwarding agent on the router, with the forwarding agent sending DHCP requests to a central DHCP server. Depending on how the forwarding agent is implemented, that might make the router appear to be a DHCP server. I don't know whether routers in a business network are sometimes used to forward DNS requests - I have not come across instances of that, but my experience is limited.

Unless you are running your own DSN server, there is no reason to allow incoming DNS requests. However, in my opinion, you should not restrict outgoing DNS requests.

DNS requests are usually UDP, though they can be TCP. With UDP, and a delayed response to a DNS request, the reply can look as if it is an incoming request and some firewalls block those. Blocking a delayed response probably doesn't cause serious problems (other than occasional DNS lookup failures), but these are not actually a threat. Presumably when a firewall blocks delayed DNS responses, it is because it is difficult to distinguish between a delayed response and some other kind of udp attack.

Example: Software in your system makes a DNS request. The DNS server responds 30 seconds later. But your firewall has set a timeout limit of 10 seconds and rejects it. These are not attacks, and not really a problem, though some firewalls report them as attacks. The reason firewalls set timeouts, is that they otherwise have to maintain a table of which packets would be DNS responses, and they don't want this table to grow too large.

An actual incoming DNS request would have port 53 as the port on your system. Unless you are running a DNS server, these will be blocked by your operating system anyway, so there's no need for special action.

I hope I haven't been too confusing there.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 11.0; firefox 3.0.15

There's always a possibility that you are misinterpreting the evidence. Since you haven't said much about the evidence you are seeing, I can't guess whether that's a possibility, but it is something you could consider.

Most ordinary applications will only be doing hostname lookups. The normal way to lookup a hostname, is to call a library function, and that library function would normally be in a library provided with your operating system. A few applications may have special needs, in which case they might do DNS lookups directly instead of using the system library.

In Windows, there is typically a service running to handle hostname lookups. The library functions will use that service. If that service is not running, then the library functions might do DNS lookups directly. But they would still use the DNS servers configured for your operating system.

It is very common for home routers to announce themselves as DNS servers, and then to forward DNS requests to the ISP servers.

I am not sure what firewall software does. Some firewalls attempt to learn about the network they are on, and determine whether that network is behind a home router or is more directly connected to the Internet. It is conceivable that they might send some test DNS queries to the router, to see how it responds. That would be a partial indication of the kind of network they are on.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 11.0; firefox 3.0.15

reply to Blue2
You said on start-up. Assuming computer start-up, I would think the most likely explanation is that either the svchost cache software has not completely started (most likely) or Kerio is incorrectly identifying the actual program (less likely). The router should already have the IP and DNS settings unless you are booting it at the same time.

While many ISPs use the same server as both DHCP and DNS, (a VP of Engineering at my ISP once posted that this is because one is Disk intensive and the other Memory intensive so it worked well), I had not seen DNS from the ISP Default Gateway which is the Cable Modem Termination System.

To me the question is are you having any problems due to these blocked packets. If not you could create a rule blocking them that does not alert.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.

reply to Blue2
Sorry if I haven't been clear.

I don't actually connect to the internet (plug in the network cable) until AFTER the computer has not only booted but shows that the firewall is active. From the old kerio forum, there was some question about when the firewall driver loads in the startup sequence so it was advised to not connect until it displays.

The cable modem/router is in a different room (but via a wired connection), so it's possible that I'm plugging in the network cable and the cable modem/router (Castlenet Router- CBV734EW) has NOT yet completed ITS startup yet.

What's happening is that occassionally, but not always, and only when I first plug in the network cable, do I see the kerio DNS alerts per my second post above, via the rule that I did set up to alert me to unwanted DNS connections. So these appear to be outbound attempts from KAV and Kerio to the DHCP server address via outbound local ports to port 53.

So I wasn't sure what this blocked traffic was and if it indicated a problem or required further investigation. There were about 50 such attempts in the first 3 minutes that the network cable was plugged in and then they stop. This is the second time that I've seen this.

Does that make it any clearer?

Certainly makes it clearer. Is the Default Gateway where these packets are sent, the computer Default Gateway or the router Default Gateway?

Is the Modem/Router being used as a router?

Are you using one of the large Hosts files to block sites?

--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.

reply to Blue2
The address shows up in ipconfig as the Default Gateway.

The cable modem router is being used as a router, as my wife connects to it as well

And yes, I fogot to ask if MVPS HOSTS File could be having an effect as I have the DNS service sent to manual as its 938kb with both MVPS and Spybot adding entries.

So the address is 192.168.XXX.XXX and it is the router address?

reply to Blue2
Yes, you got it. It's the router address.

I just set up this home network a few weeks ago (my first) and I didn't realize that the DHCP Server address is the router address.

Does that explain these connections requests?

Yes I believe it likely explains it. I think it is likely that the requests are occurring prior to the start of svchost. The router will be a proxy DNS server. So DNS requests would be from the individual programs before svchost starts. With the hosts file svchost probably does not start as fast as the AV and the firewall. I would normally say you can allow or deny these packets without a problem but if you want to make sure the Hosts file is used, you would not want the programs to do the lookup, so you would want to create a rule to Deny these packets, and not Alert.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.

reply to Blue2
That makes perfect sense and is great advice. I've only seen the requests coming from Kerio and KAV and only within the first few minutes after connecting to the network. So I think I'll create a rule to block the packets from those apps and not alert, whereas I do like to be alerted when other DNS connections are blocked when I attempt to connect when traveling.

Does setting the DNS client to manual have any effect on svchoet.exe startup particularly if the host file is large?

I am not an expert on this stuff.

According to Black Viper(one of the sources on services)