OpenDNS Why the bocls especially high severity

I posted a comment earlier about some blocks being caused by user software.

But since running OpenDNS I have getting a several blocks that the source is OpenDNS. IS OpenDNS just not working smoothly with Comodo? Is OpenDNS worth keeping and using?

Why would OpenDNS need to do port scans?

In searching the OpenDNS site, I read that everything is normal and in one post they say to contact Comodo

OpenDNS is supposed to help for bad sites but also speed up browsing, but with Comodo needing to report blocks, I wonder if in some instances the combination of the two might be slowing down surfing?

Here are 3 extractions from the last 24 hour log. If you check the destination and source IP addresses are for OpenDNS.


Date/Time :2007-09-26 21:48:55
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 24.XXX.XX.XXX
Destination: Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 7

Date/Time :2007-09-26 21:48:42
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)Application: C:\Program Files\Internet Explorer\iexplore.exeParent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Details: C:\Program Files\MSN Messenger\msnmsgr.exe has modified the the User interface of C:\Program Files\Internet Explorer\iexplore.exe by sending special Window messages.

Date/Time :2007-09-26 21:36:14
Severity :High
Reporter :Network Monitor
Description: UDP Port ScanAttacker:
Ports: 37897, 24841, 25097, 26377, 26633, 27145, 27401, 28681, 28425, 29193, 29449, 30217, 30473, 32009, 32265, 32521, 33289, 33545, 33801, 35081, 35337, 35593, 36105, 35849, 37129, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
The attacker has been temporarily blocked

Give them a ring and ask them.

There’s a handy free tool you can download from IPNetInfo: Retrieve IP Address Information from WHOIS servers called IPNetinfo. It’s a stand-alone program so there’s no installation required. Launch it and then type in the attacker’s IP address and click OK. Double click the highlighted result to get more info, in this particular case, as shown in the pix:

[attachment deleted by admin]

I’ve found that these ICMP packets are annoying in the logs, but are not a problem. Somebody asked me the same question a while back, with a different firewall. I was able to replicate it with a WinXP box talking to a DNS server not a meter away. A packet sniffer on that testing showed what was happening:

WinXP fires off 3 DNS query packets. That’s pretty standard. The DNS server gets 3 queries, and answers all of them. Because there is one wire, the answers get serialized. The Windows application that is waiting for an answer takes the first one that comes in. And then it closes it’s port. The remaining two answers that are still coming in over the wire, now have no place to go: port unreachable. ICMP error message goes out that says ‘your message of whatever was not delivered’. Annoying, but harmless.

The solution was to introduce a firewall rule, just ahead of the ‘block and log all’, that says something like this:

block, but do not log, ICMP packets from ‘me’ outbound to anybody that say ‘port unreachable’.

It keeps the logs clean, and the DNS server gets a slightly lower flood of inbound traffic.

This is a different problem, and is something that is in another thread ‘UDP port scan and an HP all-in-one’. I haven’t compared the port list, but it looks familiar.