Hi all

Been lurking here for a while, but this is my first post.

Hope somebody can help me here.
Since 14th January I have been getting firewall alerts of a port probe.
Originating IP is NTL DNS server!

Your computer's UDP ports:
21537, 45094, 35787, 36220 and 13691 have been scanned from 194.168.8.100.

Your computer's UDP ports:
45368, 61495, 28595, 20221 and 25385 have been scanned from 194.168.4.100.

Etc etc. I have almost 100 of them on various ports.

Given that NTL are known for their DNS problems, I switched DNS and added in
Easynet, Zen and BTopenworld DNS's.

Now my firewall is not reporting port probes, but is blocking some traffic
from the DNS servers:

01/16/2004 19:35:24 194.73.73.95 53 81.106.xxx.xxx 2384 Incoming Blocked
01/16/2004 19:35:24 194.73.73.95 53 81.106.xxx.xxx 2386 Incoming Blocked
01/16/2004 19:35:27 194.73.73.94 0 81.106.xxx.xxx 0 Outgoing Blocked
01/16/2004 19:35:27 194.73.73.94 0 81.106.xxx.xxx 0 Outgoing Blocked

194.73.73.94/5 are BTopenworld DNS servers



I can still browse OK, so I am getting address's resolved!

Can anybody suggest what may be happening?

Thanks in advance

Hi all

Been lurking here for a while, but this is my first post.

Hope somebody can help me here.
Since 14th January I have been getting firewall alerts of a port probe.
Originating IP is NTL DNS server!

Your computer's UDP ports:
21537, 45094, 35787, 36220 and 13691 have been scanned from 194.168.8.100.

Your computer's UDP ports:
45368, 61495, 28595, 20221 and 25385 have been scanned from 194.168.4.100.

Etc etc. I have almost 100 of them on various ports.

Given that NTL are known for their DNS problems, I switched DNS and added in
Easynet, Zen and BTopenworld DNS's.

Now my firewall is not reporting port probes, but is blocking some traffic
from the DNS servers:

01/16/2004 19:35:24 194.73.73.95 53 81.106.xxx.xxx 2384 Incoming Blocked
01/16/2004 19:35:24 194.73.73.95 53 81.106.xxx.xxx 2386 Incoming Blocked
01/16/2004 19:35:27 194.73.73.94 0 81.106.xxx.xxx 0 Outgoing Blocked
01/16/2004 19:35:27 194.73.73.94 0 81.106.xxx.xxx 0 Outgoing Blocked

194.73.73.94/5 are BTopenworld DNS servers



I can still browse OK, so I am getting address's resolved!

Can anybody suggest what may be happening?

Thanks in advance
What firewall are you using, you should configure to allow at least 2 DNS servers through. Check out Robin Walkers website. The link is at the bottom of the home page.

Try this page.http://homepage.ntlworld.com/robin.d.h.walker/cmtips/security.html
:welcome: to ntlhellworld BTW.

What firewall are you using, you should configure to allow at least 2 DNS servers through. Check out Robin Walkers website. The link is at the bottom of the home page.

Try this page.http://homepage.ntlworld.com/robin.d.h.walker/cmtips/security.html
:welcome: to ntlhellworld BTW.
I'm using Sygate's free offering.

I haven't had this problem before, and I've never configured my firewall to explicitly allow DNS traffic? It's only been happening since 14/1/4.

As far as I know all ports are stealthed unless an application opens it, so an app would send a DNS request to the server on port 53 and request the response to port xxxxx, which would then open the port to traffic from that server. (AFAIK)

I can resolve address's OK, and the probes stop when I switch to other DNS servers (although my firewall is still blocking some packets).

A friend who is also on NTL gets the occasional dodgy traffic also. His smoothwall log show:
Date: 01/15 13:29:09
Name: DNS SPOOF query response with ttl: 1 min. and no authority
Priority: 2
Type: Potentially Bad Traffic
IP Info: 194.168.8.100:53 -> 62.255.***.***:1025
Refs:

Not sure about Sygate, use ZA Pro and put any DNS servers in my Trusted Zone, using Zen DNS ATM but leave the original Ntl DNS in as well, it stops a lot of needless firewall reports.

I was about to start a thread about this... I have exactly the same problem. :(

Same 194.168.4.100 or 194.168.8.100 remote host and same firewall. It also started for me on about the same date. :confused:

Checked out your reply iadom :tu: I can't see how to set this up though :cry:

Why has it only just started happening?

Any help appreciated please. :)

Sorry, only just mangaged to log back in.

To allow DNS servers in ZoneAlarm go to "Firewall" then "Zones", at the bottom is an add>> button, from here you can add servers to your trusted zone.

This is my trusted zone ATM.

Thanks again iadom. :)

I didn't make myself clear though, when I said I had the same firewall, I meant I have Sygate like Bootboy. :)

I can't find a similar facility to the one you have on there. :(

Since 14th January I have been getting firewall alerts of a port probe. Originating IP is NTL DNS server!There are not port probes at all. They are legitimate but belated replies from the DNS servers to requests that your PC has made, being incorrectly logged as probes by your firewall, after either your PC or your firewall has given up waiting for the reply.

DNS queries and replies are carried by (connectionless) UDP, with no real time limit on how long the reply might take to arrive after the query. Firewalls should note outgoing UDP, and expect legitimate replies on the same port at some time in the future. If the firewall times out this wait before the DNS servers reply, then the firewall logs a false port probe.

You should configure your firewall to trust all traffic from your DNS servers, then these false logs will not occur. See Personal firewall configuration (http://homepage.ntlworld.com/robin.d.h.walker/cmtips/security.html#fwconfig) for more.

There are not port probes at all. They are legitimate but belated replies from the DNS servers to requests that your PC has made, being incorrectly logged as probes by your firewall, after either your PC or your firewall has given up waiting for the reply.

DNS queries and replies are carried by (connectionless) UDP, with no real time limit on how long the reply might take to arrive after the query. Firewalls should note outgoing UDP, and expect legitimate replies on the same port at some time in the future. If the firewall times out this wait before the DNS servers reply, then the firewall logs a false port probe.

You should configure your firewall to trust all traffic from your DNS servers, then these false logs will not occur. See Personal firewall configuration (http://homepage.ntlworld.com/robin.d.h.walker/cmtips/security.html#fwconfig) for more.
That makes sense, but why is the DNS repying to 5 ports? I understood that the client requests DNS info, stating which port it wants the reply on?

Julian:
To add DNS servers to Sygate:
Advanced rules--> Add
General tab--> add a description, click the allow radio button
Hosts tab--> add the IP address's of the DNS servers (all the DNS's you want to use)
Ports & protocols tab--> all
Job done

That makes sense, but why is the DNS repying to 5 ports? I understood that the client requests DNS info, stating which port it wants the reply on?

Julian:
To add DNS servers to Sygate:
Advanced rules--> Add
General tab--> add a description, click the allow radio button
Hosts tab--> add the IP address's of the DNS servers (all the DNS's you want to use)
Ports & protocols tab--> all
Job done

Thanks very much for that m8. :)

And thanks rdhw for your explanation. :)

:tu:

The firewall should configure itself automatically to allow DNS traffic though. Should it not?

I don't know, but the purpose of the exercise is to stop late traffic showing up in the logs, or triggering a probe alert, so if the f/w is set to always allow from that IP, no logs will be created.

That makes sense, but why is the DNS repying to 5 ports? I understood that the client requests DNS info, stating which port it wants the reply on?The DNS repliec come back to the same UDP port that the client made the request from. The client uses a different UDP port for each request (except XP, which tends to use the same port all the time for sourcing DNS requests).

The firewall should configure itself automatically to allow DNS traffic though. Should it not?
I checked my firewall and found an option called smartDNS:

By default, this option is enabled in the Standard version and cannot be changed, while it is enabled and changeable in the PRO version of the Personal Firewall. Smart DNS is a feature that blocks all DNS traffic, except for outgoing DNS requests and the corresponding reply. This means that if your computer sends out a DNS request, and another computer responds within five seconds, the communication will be allowed. All other DNS packets will be dropped.
If you disable this feature, please note that you will need to manually allow DNS name resolution by creating an advanced rule that allows UDP traffic for remote port 53

This explains some things, but not others!

The DNS repliec come back to the same UDP port that the client made the request from. The client uses a different UDP port for each request (except XP, which tends to use the same port all the time for sourcing DNS requests).
Thanks for the clarification rdhw.
Do you have a resource where I can learn more about this? All the google hits I have found so far tend to be quite high level, I'm looking for more than that, but less than RFC's ;-)

Thanks in advance.

Smart DNS is a feature that blocks all DNS traffic, except for outgoing DNS requests and the corresponding reply. This means that if your computer sends out a DNS request, and another computer responds within five seconds, the communication will be allowed. All other DNS packets will be dropped.Perhaps this explains the "DNS problems" that some users claim to have been suffering from: it was all the fault of their firewall. 5 seconds is far too short a time to allow for a DNS reply. Windows is prepared to wait for much longer. If firewalls have been deliberately dropping replies more than 5 seconds after the request, this might explain why some users have been experiencing DNS problems, and others have not.

Do you have a resource where I can learn more about this?All I can offer at present is http://homepage.ntlworld.com/robin.d.h.walker/cmtips/dnsname.html.

Perhaps this explains the "DNS problems" that some users claim to have been suffering from: it was all the fault of their firewall. 5 seconds is far too short a time to allow for a DNS reply. Windows is prepared to wait for much longer. If firewalls have been deliberately dropping replies more than 5 seconds after the request, this might explain why some users have been experiencing DNS problems, and others have not.

That's a very good point rdhw.

But IMO any firewall or nat worth its salt is not going to do this. I cant see the need to have the firewall security that high ?

Cheers for this Robin, I asked a while ago - well before christmas and didnt get anywhere. It would explain how the "Port Scans" are getting to the pc behind a NAT (if they are requests from the pc).

Cheers.