Attacked by DNS server?


What do you think about the attached image? The partly obscured IP address is of my ISP’s primary DNS server. The alert showing from yesterday has the same address but involves a rather different set of ports. I haven’t seen the like of this before yesterday.

Does the router pass all this because it’s a DHCP rule?

Win2K Pro SP 4, CFP, NOD32, DSL, formerly ran ZA free and (briefly) Lavasoft Firewall.

My current rules look like the second shot. My only custom rules pertain to the selfsame DNS servers but are very narrowly drawn, I think.

P.S. The second screenshot is by the (so far very nice) FastStone screen capture recommended by Toggie, after CFP caught the program I used before trying to call home.

[attachment deleted by admin]

Hi Ravenheart.

I have seen this before, but I still don’t have a definitive answer. Here, however, is my best guess, maybe one of my colleagues can supply a better answer.

As you know DNS works in the following way:

The client sends a query over UDP, with an arbitrary source port above 1023 and a destination port of 53

The initial response should come from one of you ISPs DNS servers, and be directed back to (have a destination port equal to) the source of the query. The source of the response should also be port 53.

If your ISPs DNS server is slow to respond, it’s possible the client may time out and close the socket. If this happens the DNS server cannot complete the request on the original source port of the client. At this point the DNS server attempts to connect on an arbitrary port on the client and CFP determines this to be an attack.

So in effect, what your seeing are in fact legitimate responses from the DNS server and not in actuality an attack.

As I say, that’s my best guess.

I’m glad you like Faststone Capture, unfortunately, the company has changed the licensing and it’s no longer free :frowning:


Toggie, thanks again. That makes sense.

I might have put “attack” in quotes, kind of doubting that was plausible, but this seemed odd to me.

One possible problem, now that I think of it, is a URL bookmarking program called Powermarks that tries to update all its bookmarks periodically (it works as a Firefox extension or in other ways with other browsers). But if I close it in the middle of that, it may leave a lot of outstanding DNS requests. But I came across the log entries and couldn’t remember if I’d used it.

FastStone may be worth a few bucks. I’m a shareware fan.

I get the same thing at bootup - a UDP port scan on ethereal ports.

Have a look here as well.
Comodo Forum

Ocky, as I look through the earlier thread, I think this remains a bit mysterious. I think my explanation involving the bookmarking program was mistaken, because I wouldn’t have been running it at that time in the morning; rather, I would have been just starting up.

What you said here looks promising–does this still check out in your mind?

Win2K/XP machines will by default register themselves with WINS and DNS servers (assuming WINS/DNS is configured in your network settings). To my knowledge, there's no preference. By default, they will try to *resolve* a name through DNS before WINS. To prevent your Win2K/XP machines from trying to register themselves with DNS servers, uncheck "Register this connection's addresses in DNS" in your TCP/IP configuration.

I’ll look into that option (I find that it is checked, but I’m unsure of the implications). The router picks up the DNS addresses through DHCP and passes them on to the PCs through DHCP, and then the Win2K box is trying to “register” itself with the servers? And this is self-evidently nonsensical of it? I wonder what that means.

Just a couple of points. An XP/Win2k box will only register its self with a WINS or DNS server is explicitly told to do so, and also, only if such Servers exist on the network.

The method used for name resolution depends upon the type of name being resolved. A NetBIOS name will be resolved differently from a Host name. The order of resolving methods is also different, dependant upon the name type.

The Register with DNS servers check box, is only used in a situations where Dynamic DNS is implemented. This is typically in within a LAN.


Toggie, so if have a LAN and DHCP, but the DNS servers are abroad and their addresses are just being passed on (not proxied), the check box setting is useless?

The check box in question, should not be ‘checked’ by default. To explain. Microsoft, along with others, can employ a system known as Dynamic DNS. In this situation, the clients configured to register their names with a DNS server, send a a Dynamic DNS update request to the DNS server, this has the effect of writing an ‘A’ (Address) record in the DNS database. This process is actually performed, not by the DNS client service, but by the DHCP client service.

In essence, it makes it easier to maintain DNS databases in an environment where the IP Address is constantly changing.

There are some third party Dynamic DNS providers on the Net, but you’d have to register to use their services and typically they are used for server hosting, where the individual doesn’t have a static IP Address.

Mine is unchecked - makes no difference. Funny thing is that since using a
proxy server (via proxomitron) I have never again seen these attacks in my logs.
A support ticket was submitted - here the reply (maybe in version 3 it will be OK):

"Thanks for Details.
We will try to investigate this in our lab and if we can produce, will
come up with necessary updates in our next version Comodo Firewall V3
(expected to be released by mid of June 2007). Meanwhile kindly bear
with us.

Technical Support"

I am stumped - Toggie is your best bet… ;D