A couple of days ago, Virgin's DNS servers started sending UDP packets to ports 1038 and 1623 in response to standard DNS lookup requests. I noticed this because my firewall started popping up messages to the effect. I've had to add some firewall rules to allow these UDP packets through, otherwise name lookups fail.

Does anyone know why this might have started happening, and whether it is anything sinister? If it's relevant, I'm in the Watford area (DNS servers are 194.168.4.100 and 194.168.8.100).

All customers with Virgin Media use the same DNS servers. I've no idea as to why it's probed your system, either.

All customers with Virgin Media use the same DNS servers.

No they don't

No they don't

By default and standardization they do. ;)

Cliveb, the firewall you are using, is it a stateful packet inspection firewall, such as Zonealarm?

By default and standardization they do. ;)

No, they really don't. ex telewest areas still use seperate dns servers to exntl ;)

A couple of days ago, Virgin's DNS servers started sending UDP packets to ports 1038 and 1623 in response to standard DNS lookup requests. I noticed this because my firewall started popping up messages to the effect. I've had to add some firewall rules to allow these UDP packets through, otherwise name lookups fail.

Does anyone know why this might have started happening, and whether it is anything sinister? If it's relevant, I'm in the Watford area (DNS servers are 194.168.4.100 and 194.168.8.100).

There is nothing stopping you running your own DNS service. This is the one that I use

http://www.ntcanuck.com/

There is nothing stopping you running your own DNS service. This is the one that I use

http://www.opendns.com/

Not just faster DNS but many useful features.

Cliveb, the firewall you are using, is it a stateful packet inspection firewall, such as Zonealarm?
I use Kerio 2.1.4. I like it because it's very light weight and talks purely in terms of subnets, addresses, ports and applications, which means you know exactly what's going on.

I've done a bit more investigation, since other machines in the home network were not getting these firewall warnings. It turns out that their firewalls had a default "DNS" rule to allow UDP in from any address on port 53 to any internal port. My XP machine for some reason didn't have that.

I conclude that perhaps DNS lookups routinely receive their replies on various ports, and that for reasons I don't understand, my XP machine lost its default "DNS" rule a couple of days ago.

I use Kerio 2.1.4. I like it because it's very light weight and talks purely in terms of subnets, addresses, ports and applications, which means you know exactly what's going on.

I've done a bit more investigation, since other machines in the home network were not getting these firewall warnings. It turns out that their firewalls had a default "DNS" rule to allow UDP in from any address on port 53 to any internal port. My XP machine for some reason didn't have that.

I conclude that perhaps DNS lookups routinely receive their replies on various ports, and that for reasons I don't understand, my XP machine lost its default "DNS" rule a couple of days ago.

You are spot on.

Basically, UDP is a connectionless protocal, so the only way a stateful firewall can track the UDP packet return is to set a very short TTL (Time To Live). If there is any sort of delay beyond this time, then the packet is blocked at the destination port, the DNS server though still thinks it should get through, so it gets sent at higher port numbers.

Well at least that is how it has been explained to me on a number of times. There's lots of Internet articles on this.

I though it would simple be a case of ephemeral ports being used. The DNS servers listen on port 53 but they send back to what ever ephemeral/high port your PC used for the outgoing request.

http://en.wikipedia.org/wiki/Ephemeral_port

http://www.opendns.com/

Not just faster DNS but many useful features.

Did you check the link I provided? the DNS service runs on YOUR pc :dozey: