UDP System (PID 4) destination port 65535 DNS

I connected to the network new computer, with newly installed Windows 7 and Comodo firewall.

Nevertheless, I could not load any site.

I looked at firewall logs. There is blocked outgoing UDP connections System (PID 4), source port 49152 destination port 65535, destination address - DNS, ISP.When I allowed these connections - everything was fine, the sites loaded.

After some research I discovered the following.
If I disable the DNS client (and some services), sites are loaded when the System UDP destination port 65535 DNS is blocked.(There are blocked connections in firewall logs)

If I enable the DNS client, sites are not loaded when the System UDP destination port 65535 DNS is blocked.

I tried to analyze traffic with TCPView and netstat.There is no established connection with such parameters. netstat -abn shows UDP : TCPView says System (PID 4) Local port 49152 Remote address * Remote port * State (nothing)

What does all this mean?

DNS traffic should be on port 53 normally, do you have any special software installed for your Internet connection?

Ronny beat me to the most succinct, albeit utterly un-edifying reply; I operate on the principles of why use merely 25 words when 100x that many would do as well?

DNS is domain name service and is necessary for IP address resolution of URL.

I can only vouch for v5…1135 (my understanding of v1142 w/‘secure DNS’ is non-existant). SO, I’m utterly unclear what this UDP protocal (DNS) is doing on the highest port you mention. However, that being said, allow me to be so bold to provide some edification concerning this issue; what follows is because you mention tools not commonly known w/respect to network troubleshooting with respect to the unedified. Once you have had the subnetting epiphany, you’ll mercilessly (and ceaselessly) kick yourself for being so stupid not to have seen what’s so plainly obvious that an infant can grasp it.

Your initial question was wide ranging and contained a lot of ‘in-the-know’ content (so bear with my bloviating response).

DNS is resolved via UDP protocol to authoritative DNS servers on port 53. Your ISP has at least two DNS servers that are authoritative for it. There are other DNS serviers that can be utilized instead, e.g., OpenDNS. CIS offers its own DNS servers also.

For home LAN, there will be a modem that iinterfaces with a gateway, i.e., router. The primary gateway, i.e., router, is often configured to act as primary DNS server for the LAN. The IP address of the modem is assigned by the IP leasing schema of the ISP. The only thing the modem sees is the IP address of the gateway / router; this is typically; this can be configured to be any valid IP address available.

Now, the gateway / router can be configured to act in either DHCP server or primary DNS server (or both roles. As DHCP server, the router assigns IP addresses to each node on the entire subnet for which it has been specified as primary DHCP server. This is specified in the TCP/IP configuration of each NIC for every node on a subnet. I say ‘node’ because ‘host’ implies that the host is sharing resources; I digress. It is worthy to understand the concept of ‘broadcast’ and ‘network’ subnet address.

The concept of a broadcast address is purely dependent on the subnet. The definition of broadcast address is “all ones” in the host field. Without knowing the subnet mask, we can’t know whether something is all ones or not.

The default command in today’s IOSs (and for several years now) is to ALLOW subnet zero (and the all-ones subnet as well). So yes, assume they are there unless told otherwise; BTW, IGRP is the classful routing protocol, not EIGRP. EIGRP will auto-summarize to classfull boundaries, but it itself is classless. That probably means gibberish to those not having had the subnetting ‘epiphany’.

What it boils down to is that for subnet x.y.z.?, the mask stipulates that x.y.x.255 is the broadcast IP address for the subnet: x.y.z.? and the network address is x.y.z.0; all nodes will respond appropriately to broadcast traffic via traffic addressed to the network address for the subnet.

IF the node’s TCP/IP configuration properties are: ‘obtain IP address & DNS server address’ automatically’ then this information comes from the gateway / router (whether gateway / router, modem (default gateway), or ISP provided).

Its my opinion that unless so implemented by network admins - having expert reasons to do so - gateway / routers shouldn’t be burdened with DNS requests. If one knows the primary & secondary DNS server addresses, each node’s DNS fields should be stipulated in the TCP/IP properties for one’s ISP. Bear in mind, that due to timeout issues, a third DNS server - proprietary to one’s ISP - may come into play. IF your ISP primary & secondary DNS servers are timing out, I believe that you need to allow an ICMP timeout protocol message IN from the ISP (or sumpin). That is most especially true IF you’re a security freak, use CIS (because: see previous few words), and you know ICMP to be pure evil.

Default MS config does not allow for config of that though. This’ll only become evident if you watch your logs closely.

Long & short of this way TOO long skreed (very sorry for that - NOT): you need to open up DNS into and out of your system. If you gots your security ratcheted up to grimace-proportions (good job), then you need to know what’s going on. Which DNS service providing servers should you allow YOUR subnet LAN accessd to?

Dunno, but one thing certain: I’m going to bet all of your lives collectively that if you see incoming DNS (UDP on port 53) you are positively hacked (or your IPS is).

No, I have not software installed for Internet connection.

Outgoing UDP System connection tries to connect not only with the DNS, but also with IP of some visited sites (destination port 65535). I blocked these connections, and there is no problem with site loading.

I installed Comodo on my second PC with Windows XP. There is the same outgoing System UDP, destination port 65535, but source port 1025. It tries to connect with DNS and some visited sites. This connection is blocked, and everything works fine.

I disabled many Windows XP services (DHCP, IPSec, SNMP, etc.). At one point I discovered that there is no outgoing System UDP destination port 65535! Oddly enough, the results of TCPView and netstat are the same and has not changed (TCPView says System (PID 4) Local port 1025 Remote address * Remote port * State (nothing))

I tried to repeat this with Windows 7, disabling the largest possible number of services, but has not achieved the same result. If I turn off DNScache service - I can load sites. If I turn on DNScache - I can’t load sites.Once again, Comodo displays blocked System UDP destination port 65535. Netstat says UDP :

WxMan1, thanks for your reply.
I would like to stress that I’m connecting with DNS of my ISP on port 53. There is outgoing UDP svchost.exe DNS destination port 53.
The node’s TCP/IP configuration properties are not: ‘obtain IP address & DNS server address’ automatically’
There is additional outgoing connection of System (PID 4) attempting to DNS and some of visited sites. This connection is blocked.

You’re correct about port 53. Unless there’s reason to distrust such an integral component of Windows as SVCHost, my suggestion is to allow out & in from all comers. You be very, very, VERY carefull to aloow IN into your system; allowing OUT from your system is no so bad.

IF you belleve that your system is reasonably suggestive to be secure, then you should allow all D+ actions, and firewall actions.

I’d say that IF it is reasonable that w/in 4.3 weeks each and every aspect of your system’s access to the internet would be tested, then begin to qwexion your alerts.

Until then just consider the alerts be be establishment of a security-baseline. You could circumvent all that by watching your system like a hawk for the next 48-96 hourrs and invoke every thing known to Man. How wouild you know you didn’t forget something?

Please accept my appologiese for being too verbose.

When I tallk to newb’s I try to use as many of the terms / buzz-words that are Google-ly possible.

If NONE of that makes sense, then retun and speak in your native tongue; somebody WILL help you.

WxMan1,thank you for your interest in this topic. I’ll be glad to see your comments.

I found that initially System tries to connect with (UDP outgoing, source port 49152, destination port 65535). This connection is blocked, and then it tries to connect with DNS (UDP outgoing, source port 49152, destination port 65535).
If I block this connection and DNS-Client service is turned on, I can’t load any site. There is no active connections with DNS.
If I enable outgoing UDP System , source port 49152, destination port 65535 , destination IP [DNS], I can load sites. There is active svchost.exe connections to DNS, destination port 53.
If DNS-Client service is turned off, I can load sites with UDP System totally blocked.

My rules for svchost.exe 1.Allow UDP outgoing Source port [Any] Destination port 53 Destination IP DNS
2.Allow TCP outgoing source port [Any] Destination ports 80,443 destination IP [range of Microsoft update]
3.Block and log any incoming and outcoming connections.

I can’t understand what for System requires this connection.

It’s very difficult to pin-point this based in the info provided you have heavily tweaked your Windows setup so “normal” behavior isn’t expected in your setup.

Based on the Multicast address it’s probably LLMNR (Link Local Multicast Name Resolution).

In responding to queries, responders listen on UDP port 5355

Read here about LLMNR and options to disable it.