Sign in with
Sign up | Sign in
Your question

UDP packet being blocked

Tags:
  • Firewalls
  • IP Address
  • Internet Service Providers
  • UDP
  • Networking
Last response: in Networking
Share
Anonymous
May 22, 2004 11:04:26 PM

Archived from groups: comp.security.firewalls (More info?)

Hello Group:

I notice on my firewall log that an outgoing UDP packet is frequently
being blocked. The source IP address is my IP address 192.168.1.100 --
router on a single computer -- and the destination address is
65.32.1.80, which is the IP address of my ISP, RoadRunner. The source
port is 1137, the destination port is 53.

I don't understand what this means. Why is an outgoing UDP packet
going to my ISP and why is it being blocked? The system seems to be
running OK.

Many thanks for advice.

Jack

More about : udp packet blocked

Anonymous
May 22, 2004 11:04:27 PM

Archived from groups: comp.security.firewalls (More info?)

JClark wrote:

(snipped)

> being blocked. The source IP address is my IP address 192.168.1.100 --
> and the destination address is 65.32.1.80
> which is the IP address of my ISP
> source port is 1137, the destination port is 53.

This is a Domain Name Server (DNS) query. A program on
your system is trying to attain DNS information. This
is not a harmful activity, being outbound from your
system not in response to a request, based on
your description.

Why it is being blocked is a firewall rule.

Port 53 is reserved for DNS queries.

Purl Gurl
Anonymous
May 22, 2004 11:04:28 PM

Archived from groups: comp.security.firewalls (More info?)

Purl Gurl wrote:

> JClark wrote:

(snipped)

> > being blocked. The source IP address is my IP address 192.168.1.100 --
> > and the destination address is 65.32.1.80
> > which is the IP address of my ISP
> > source port is 1137, the destination port is 53.

> This is a Domain Name Server (DNS) query. A program on
> your system is trying to attain DNS information. This
> is not a harmful activity, being outbound from your
> system not in response to a request, based on
> your description.

Given this a bit more thought, although seemingly illogical,
you might want to scan your system for malware and spyware.
This is illogical because software of this type would not
need DNS information to "phone home." Nonetheless, writers
of malicious software like this, are not known for being
logical nor bright people. Doubt this is the source but
it is possible, albeit low probability.

Purl Gurl
Anonymous
May 22, 2004 11:19:10 PM

Archived from groups: comp.security.firewalls (More info?)

JClark schrieb:

> I notice on my firewall log that an outgoing UDP packet is frequently
> being blocked. The source IP address is my IP address 192.168.1.100 --
> router on a single computer -- and the destination address is
> 65.32.1.80, which is the IP address of my ISP, RoadRunner. The source
> port is 1137, the destination port is 53.
>
> I don't understand what this means. Why is an outgoing UDP packet
> going to my ISP and why is it being blocked? The system seems to be
> running OK.

Port 53 is DNS - Domain Name Service. It resolves the host names (e.g.
www.apple.com) to IP addresses (among other things). 65.32.1.80 is most
likely the configured DNS server for your connection (check with
"ipconfig /all" in a command prompt) Basically any connection to the
internet (except those, that use an IP address directly) requires the
DNS server. My NIS 2004 (compared to 2003 I think) does not have a
general DNS rule anymore but allows DNS only for configured application.
So I assume, that you have a program running that tries to access the
internet and that you block. Check the logs to find out which program it
is...

Gerald
Anonymous
May 23, 2004 12:11:08 AM

Archived from groups: comp.security.firewalls (More info?)

On Sat, 22 May 2004 12:29:08 -0700, Purl Gurl <purlgurl@purlgurl.net>
wrote:

>Purl Gurl wrote:
>
>> JClark wrote:
>
>(snipped)
>
>> > being blocked. The source IP address is my IP address 192.168.1.100 --
>> > and the destination address is 65.32.1.80
>> > which is the IP address of my ISP
>> > source port is 1137, the destination port is 53.
>
>> This is a Domain Name Server (DNS) query. A program on
>> your system is trying to attain DNS information. This
>> is not a harmful activity, being outbound from your
>> system not in response to a request, based on
>> your description.
>
>Given this a bit more thought, although seemingly illogical,
>you might want to scan your system for malware and spyware.
>This is illogical because software of this type would not
>need DNS information to "phone home." Nonetheless, writers
>of malicious software like this, are not known for being
>logical nor bright people. Doubt this is the source but
>it is possible, albeit low probability.
>
>Purl Gurl
Gerald, Purl:

I appreciate the prompt reply and advice. I don't recall seeing this
block in the firewall log before. But I recall disabling a number of
services recently (win2k), and the DNS client service was one of them.
I re-enabled it to automatic, rebooted. I thought this might take care
of the "problem". Unfortunately, the blocking still occurs. Yet the
browser activity seems pretty normal, although maybe a bit sluggish
with an occasional failure to resolve message.

Yes, Gerald, in ipconfig /all, the DNS server addresses are
65.32.70 and 65.32.70.

Purl, I doubt malware. I run antivirus and trojan software and check
for spyware often. But I can certainly check again.

I still don't know what is actually going on, but I could easily write
a firewall rule to permit that UDP packet for those IP addresses. Is
this what I should do?
Thanks again!

Jack
Anonymous
May 23, 2004 12:12:47 AM

Archived from groups: comp.security.firewalls (More info?)

Purl Gurl schrieb:
> Given this a bit more thought, although seemingly illogical,
> you might want to scan your system for malware and spyware.
> This is illogical because software of this type would not
> need DNS information to "phone home." Nonetheless, writers

On the contrary. What is easier to get: a fixed IP address or a hostname
at let's say dyndns.org? Anyone will most likely use DNS to access the
internet.

Gerald
Anonymous
May 23, 2004 12:12:48 AM

Archived from groups: comp.security.firewalls (More info?)

Gerald Vogt wrote:
>
> Purl Gurl schrieb:

> > Given this a bit more thought, although seemingly illogical,
> > you might want to scan your system for malware and spyware.
> > This is illogical because software of this type would not
> > need DNS information to "phone home." Nonetheless, writers

> On the contrary. What is easier to get: a fixed IP address or a hostname
> at let's say dyndns.org? Anyone will most likely use DNS to access the
> internet.

For these circumstances, it is not a "person" creating a
DNS query on port 53, it is software and software does not
care if one method is easier than another, it simply does
what it is programmed to do.

My thoughts are if I wrote malware software, I would simply
use an URL entry similar to this,

http... 192.168.1.1:8080/spy.cgi?spydata

Simple method.

However, malware writers, who are known to not be bright,
might use a www.somesite.net type entry, requiring a DNS
query, which adds additional complexity and an additional
chance of being detected. Greater detection is afforded
because a minimum of two port usages are needed instead
of a single port usage. Port 53 is a common port which
is blocked by firewalls. Other ports, not so common.

There is a slight possibility the originating author has
spyware on his system which generates this DNS query he
is noting via his firewall. Personally, I would check.

Purl Gurl
Anonymous
May 23, 2004 12:35:19 AM

Archived from groups: comp.security.firewalls (More info?)

JClark schrieb:

> I appreciate the prompt reply and advice. I don't recall seeing this
> block in the firewall log before. But I recall disabling a number of
> services recently (win2k), and the DNS client service was one of them.
> I re-enabled it to automatic, rebooted. I thought this might take care
> of the "problem". Unfortunately, the blocking still occurs. Yet the
> browser activity seems pretty normal, although maybe a bit sluggish
> with an occasional failure to resolve message.

Again: find out what rule it is exactly and where it is configured. Your
logs should tell you that (hopefully). If my NIS blocks something, it
gives me the name of the rule. If the name is not clear enough, I can
have a look in the statistics windows which lists all the active rules
and usually by the rule before the one or after the one it is possible
to find out for which program it is configured. (The statistics windows
also tells you how often the rule blocks so it gives you a hint in the
right direction)

> Yes, Gerald, in ipconfig /all, the DNS server addresses are
> 65.32.70 and 65.32.70.

Well, these are no complete IP addresses and it is not the address you
have given us in the first post. Check it again... This would worry me a
little if some program uses a completely different DNS server than the
one configured via DHCP...

> Purl, I doubt malware. I run antivirus and trojan software and check
> for spyware often. But I can certainly check again.

You actually now that there is malware the antivirus and trojan software
does not detect and/or that malware is able to reconfigure antivirus and
trojan software to hide itself once it is actually running on your
computer. If you don't exactly know what you have been running on your
computer and that all that is clean that noone including a antivirus
software can really help you...

> I still don't know what is actually going on, but I could easily write
> a firewall rule to permit that UDP packet for those IP addresses. Is
> this what I should do?

No. You have no idea who or what is making the request. Now opening the
connection without knowing why is just making things worse. If it was
malware you would actually get into the real trouble then. Find out,
where and why this rule is defined. Find the program it is associated
with (if it is not a general rule). Once you find that place you can
reconfigure that rule.

If you cannot find the rule I would rather consider resetting all
firewall rules than just randomly allowing connections.

Gerald
Anonymous
May 23, 2004 1:03:28 AM

Archived from groups: comp.security.firewalls (More info?)

On Sat, 22 May 2004 13:27:52 -0700, Purl Gurl <purlgurl@purlgurl.net>
wrote:

>Gerald Vogt wrote:
>>
>> Purl Gurl schrieb:
>
>> > Given this a bit more thought, although seemingly illogical,
>> > you might want to scan your system for malware and spyware.
>> > This is illogical because software of this type would not
>> > need DNS information to "phone home." Nonetheless, writers
>
>> On the contrary. What is easier to get: a fixed IP address or a hostname
>> at let's say dyndns.org? Anyone will most likely use DNS to access the
>> internet.
>
>For these circumstances, it is not a "person" creating a
>DNS query on port 53, it is software and software does not
>care if one method is easier than another, it simply does
>what it is programmed to do.
>
>My thoughts are if I wrote malware software, I would simply
>use an URL entry similar to this,
>
>http... 192.168.1.1:8080/spy.cgi?spydata
>
>Simple method.
>
>However, malware writers, who are known to not be bright,
>might use a www.somesite.net type entry, requiring a DNS
>query, which adds additional complexity and an additional
>chance of being detected. Greater detection is afforded
>because a minimum of two port usages are needed instead
>of a single port usage. Port 53 is a common port which
>is blocked by firewalls. Other ports, not so common.
>
>There is a slight possibility the originating author has
>spyware on his system which generates this DNS query he
>is noting via his firewall. Personally, I would check.
>
>Purl Gurl
Gerald and Purl:

Yes, there are actually two DNS server addresses listed in ipconfig
/all
65.32.1.70 and 65.32.1.80
I did an unfortunate typo in my reply to you, and left off the .80
which is the one that shows up in my firewall log.

I'm not having an easy time finding which program is actually trying
to send that UDP packet. My firewall (Deerfield) blocks the UDP packet
by default since it blocks everything which does not have a specific
rule to permit it. So there is no specific rule which is preventing
the packet from being sent, it is the general block of everything
which is not permitted. Here is the exact message I get:

blocked outgoing UDP packet (no matching rule), src= 192.168.100.1,
dst=65.32.1.80, sport=1039, dport=53

The source port actually varies from 1029-1137

A "whois" query for the address 65.32.1.80 yields the following:

OrgName: Road Runner
OrgID: RRSW
Address: 13241 Woodland Park Road
City: Herndon
StateProv: VA
PostalCode: 20171
Country: US

ReferralServer: rwhois://ipmt.rr.com:4321

NetRange: 65.32.0.0 - 65.34.31.255
CIDR: 65.32.0.0/15, 65.34.0.0/19
NetName: ROADRUNNER-SOUTHEAST
NetHandle: NET-65-32-0-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Allocation
NameServer: DNS1.RR.COM
NameServer: DNS2.RR.COM
NameServer: DNS3.RR.COM
NameServer: DNS4.RR.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2000-08-22
Updated: 2002-08-30

(Road Runner is my ISP)

>No. You have no idea who or what is making the request. Now opening the
>connection without knowing why is just making things worse.

I agree now that I consider your cogent analysis. Thanks for keeping
me out of potential trouble.

Any other suggestions will be greatly appreciated. I'm willing to
learn and work on this.

Jack
Anonymous
May 23, 2004 1:03:29 AM

Archived from groups: comp.security.firewalls (More info?)

JClark wrote:

> Purl Gurl wrote:
> >Gerald Vogt wrote:
> >> Purl Gurl wrote:

(snipped)

> >There is a slight possibility the originating author has
> >spyware on his system which generates this DNS query he
> >is noting via his firewall. Personally, I would check.

> there are actually two DNS server addresses listed in ipconfig
> 65.32.1.70 and 65.32.1.80

Confirmed, both are DSN servers in the Tampabay, Florida region.


> I'm not having an easy time finding which program is actually trying
> to send that UDP packet.

Quickest and most easy solution would be to download
a free version of Zone Alarm, install it and wait for
Zone Alarm to pop alerts. Each alert will inform what
program is trying to access the internet. Zone Alarm
is easy to uninstall later.

Here is a small checklist which might help you. Some
of these items only appear in Win9.x others for the
NT5 types like Win2K and XP. Some appear for all
recent Win systems; both Win9.x and NT5 types.

Keep in mind NT5 types automatically run a handful
of programs upon machine boot, without your knowledge.
These are daemon or "services" which boot load.

Press "Control Alternate Delete" all together.
This pops a task manager window which lists
most but not all active processes.

Open your NT5 task manager facility.

Run msconfig.exe in your windows\system
folder. Look in the startup section.
That will list program which start
upon boot which you may enable or
disable easily. Be careful. You may
also look at your autoexec.bat file,
config.sys file and others, which
are mentioned below. Additionally,
your win.ini and system.ini files
are included in this program. Lot
easier to look at those through
notepad, wordpad or any text editor.
Be very careful about changes.

Run regedit.exe in your Windows folder.
Use "search" and look for "run" then
"run1" then "run2" entries. Those will
provide data on which programs are
being automatically loaded upon reading
of your registry. Be extremely careful
if you edit. A single mistake can leave
your machine unable to boot to Windows.
Lots of tutorials on how to backup then
edit your registry are available.

Do NOT mess with your registry until
have learned and fully understand how
to edit it safely.

Open your win.ini file found in your
Windows folder. Notepad or wordpad
can be used. Look for "load device"
entries. Mostly related to hardware
support but not strictly.

Open your system.ini as above. Mostly
drivers, dll files and VXD files but
you might some device loaders.

If you are processing an autoexec.bat
file on boot, take a look in there to
determine if there is anything being
loaded at a DOS level which could be
a source. Unlikely, but possible.
Many antiquated viruses show there.

Same for your config.sys file on boot.
Lots of devices can be loaded there.

Both autoexec.bat and config.sys are
found in your root C:\ directory.

Consider there are many programs which
automatically check for updates. Others
establish a net connection automatically
such as Netzip and some "Napster" like
software for music sharing.

Adobe Acrobat is well known for establishing
a net connecton if using the free version.
Really annoying. A serious problem is when
you access a pdf acrobat file via your browser,
then close it, acrobat will remain running in
the background without you knowing this.
Adobe Acrobat does have a "phone home" feature
which does connect to your Windows default
DNS servers. Zone Alarm will alert you.

Lot easier to simply install Zone Alarm
which will immediately inform you which
programs are trying to access the net.
Do not use the Zone Alarm automatic
configuration feature. Select the
manual configuration so no programs
will be allowed until you ok them.

I am placing a bet you have software which
phones home periodically. This is not always
malware. Might be software which periodically
checks for software updates as a courtesy.


Purl Gurl
Anonymous
May 23, 2004 1:25:08 AM

Archived from groups: comp.security.firewalls (More info?)

JClark schrieb:
> Yes, there are actually two DNS server addresses listed in ipconfig
> /all
> 65.32.1.70 and 65.32.1.80
> I did an unfortunate typo in my reply to you, and left off the .80
> which is the one that shows up in my firewall log.

Well, that is much better then...

> I'm not having an easy time finding which program is actually trying
> to send that UDP packet. My firewall (Deerfield) blocks the UDP packet
> by default since it blocks everything which does not have a specific
> rule to permit it. So there is no specific rule which is preventing
> the packet from being sent, it is the general block of everything
> which is not permitted. Here is the exact message I get:
>
> blocked outgoing UDP packet (no matching rule), src= 192.168.100.1,
> dst=65.32.1.80, sport=1039, dport=53
>
> The source port actually varies from 1029-1137

That is normal. The source port can be anything. It does not matter. If
you firewall does not log any information about the program trying to do
it, that you must contact your support and ask them how to find it out.
The DNS works for all your other applications that means your firewall
does have per-application rules. A firewall blocking outgoing traffic
for an application with a general rule without telling you which
application it actually is, well, is IMHO a bad firewall. It would mean
you must know exactly which of your applications need connections and
with which ports.

> A "whois" query for the address 65.32.1.80 yields the following:

That is not interesting as it is the correct DNS server.

>>No. You have no idea who or what is making the request. Now opening the
>>connection without knowing why is just making things worse.
>
> I agree now that I consider your cogent analysis. Thanks for keeping
> me out of potential trouble.
>
> Any other suggestions will be greatly appreciated. I'm willing to
> learn and work on this.

The only thing I could think of at the moment (as you said you've added
some rules and later removed them again because it wasn't working) is to
reset your firewall rules to the initial setting. However, if your
firewall blocks with telling you which application it is (which I just
hope is not always the case), it won't help, because you still don't
know. Check your firewall's documentation or the support pages. They
should have some information about how to reset the rules so that you
can start over again and do it right this time...

Gerald
Anonymous
May 23, 2004 1:45:37 AM

Archived from groups: comp.security.firewalls (More info?)

On Sat, 22 May 2004 21:25:08 GMT, Gerald Vogt <vogt@spamcop.net>
wrote:

>JClark schrieb:
>> Yes, there are actually two DNS server addresses listed in ipconfig
>> /all
>> 65.32.1.70 and 65.32.1.80
>> I did an unfortunate typo in my reply to you, and left off the .80
>> which is the one that shows up in my firewall log.
>
>Well, that is much better then...
>
>> I'm not having an easy time finding which program is actually trying
>> to send that UDP packet. My firewall (Deerfield) blocks the UDP packet
>> by default since it blocks everything which does not have a specific
>> rule to permit it. So there is no specific rule which is preventing
>> the packet from being sent, it is the general block of everything
>> which is not permitted. Here is the exact message I get:
>>
>> blocked outgoing UDP packet (no matching rule), src= 192.168.100.1,
>> dst=65.32.1.80, sport=1039, dport=53
>>
>> The source port actually varies from 1029-1137
>
>That is normal. The source port can be anything. It does not matter. If
>you firewall does not log any information about the program trying to do
>it, that you must contact your support and ask them how to find it out.
>The DNS works for all your other applications that means your firewall
>does have per-application rules. A firewall blocking outgoing traffic
>for an application with a general rule without telling you which
>application it actually is, well, is IMHO a bad firewall. It would mean
>you must know exactly which of your applications need connections and
>with which ports.
>
>> A "whois" query for the address 65.32.1.80 yields the following:
>
>That is not interesting as it is the correct DNS server.
>
>>>No. You have no idea who or what is making the request. Now opening the
>>>connection without knowing why is just making things worse.
>>
>> I agree now that I consider your cogent analysis. Thanks for keeping
>> me out of potential trouble.
>>
>> Any other suggestions will be greatly appreciated. I'm willing to
>> learn and work on this.
>
>The only thing I could think of at the moment (as you said you've added
>some rules and later removed them again because it wasn't working) is to
>reset your firewall rules to the initial setting. However, if your
>firewall blocks with telling you which application it is (which I just
>hope is not always the case), it won't help, because you still don't
>know. Check your firewall's documentation or the support pages. They
>should have some information about how to reset the rules so that you
>can start over again and do it right this time...
>
>Gerald
Gerald:

You have been very helpful. Perhaps if I am going to go to a lot of
trouble, it might be energy and time conserving to just uninstall the
current firewall and purchase another. I have put Sygate Pro on
computers for my wife and kids, since it seemed rather simple. But I
liked (what I thought was) the ability to fine tune my own (Deerfield
Visnetic). Now that I'm having a "crise de confiance" in my firewall,
can you recommend a strong one?

Many thanks again.

Jack
Anonymous
May 23, 2004 2:04:58 AM

Archived from groups: comp.security.firewalls (More info?)

> You have been very helpful. Perhaps if I am going to go to a lot of
> trouble, it might be energy and time conserving to just uninstall the
> current firewall and purchase another. I have put Sygate Pro on
> computers for my wife and kids, since it seemed rather simple. But I
> liked (what I thought was) the ability to fine tune my own (Deerfield
> Visnetic). Now that I'm having a "crise de confiance" in my firewall,
> can you recommend a strong one?

Don't use a firewall at all but configure your computer properly. Let me
explain:

Why do you need a firewall at all? Generally, the reason is: a standard
Windows system comes with a lot of services running. Some of these
services listen to ports on the internet. Usually, however, you do not
need these services at all and there is no reason for them to run in the
first place. So a firewall blocks the traffic to open ports of the
services you don't want. It basically covers things that should not be
there at all. Simple solution: turn off all these services and no one is
listening to ports and you don't need a firewall because there is no
service that someone could attack. This requires some effort of you to
understand how this works and how to configure it. There are books and
many websites, tough, that explain these things in great detail. But I
always believe that this effort is worth it: you will understand a great
deal more about your computer and how it works instead of relying on
some other software that still needs your assistence. (Despite of that,
a software firewall is also vulnerable to attacks as the latest Symantec
Personal Firewall exploits have shown...) Something that is not running
cannot make problems and simpler is always better in the long run.

This is my recommendation. I cannot really recommend a personal
firewall. The only one I know and have is NIS and the main reason I have
it on my computer, is to know how it works because I installed it on my
wifes computer and it is easier to manage a software that you have
yourself than on a computer that you can put your hand on only once in a
while. And I use NIS because I started with Norton AntiVirus 6-7 years
ago and upgrades where cheaper. I can tell you, though, that I will not
upgrade to NIS 2005 in fall. I will only go for AntiVirus and use the
Windows XP firewall, instead, which should make things at least a little
bit faster than NIS with all that other stuff running around...

Gerald
Anonymous
May 23, 2004 2:18:15 AM

Archived from groups: comp.security.firewalls (More info?)

On Sat, 22 May 2004 22:04:58 GMT, Gerald Vogt <vogt@spamcop.net>
wrote:

>> You have been very helpful. Perhaps if I am going to go to a lot of
>> trouble, it might be energy and time conserving to just uninstall the
>> current firewall and purchase another. I have put Sygate Pro on
>> computers for my wife and kids, since it seemed rather simple. But I
>> liked (what I thought was) the ability to fine tune my own (Deerfield
>> Visnetic). Now that I'm having a "crise de confiance" in my firewall,
>> can you recommend a strong one?
>
>Don't use a firewall at all but configure your computer properly. Let me
>explain:
>
>Why do you need a firewall at all? Generally, the reason is: a standard
>Windows system comes with a lot of services running. Some of these
>services listen to ports on the internet. Usually, however, you do not
>need these services at all and there is no reason for them to run in the
>first place. So a firewall blocks the traffic to open ports of the
>services you don't want. It basically covers things that should not be
>there at all. Simple solution: turn off all these services and no one is
>listening to ports and you don't need a firewall because there is no
>service that someone could attack. This requires some effort of you to
>understand how this works and how to configure it. There are books and
>many websites, tough, that explain these things in great detail. But I
>always believe that this effort is worth it: you will understand a great
>deal more about your computer and how it works instead of relying on
>some other software that still needs your assistence. (Despite of that,
>a software firewall is also vulnerable to attacks as the latest Symantec
> Personal Firewall exploits have shown...) Something that is not running
>cannot make problems and simpler is always better in the long run.
>
>This is my recommendation. I cannot really recommend a personal
>firewall. The only one I know and have is NIS and the main reason I have
>it on my computer, is to know how it works because I installed it on my
>wifes computer and it is easier to manage a software that you have
>yourself than on a computer that you can put your hand on only once in a
>while. And I use NIS because I started with Norton AntiVirus 6-7 years
>ago and upgrades where cheaper. I can tell you, though, that I will not
>upgrade to NIS 2005 in fall. I will only go for AntiVirus and use the
>Windows XP firewall, instead, which should make things at least a little
>bit faster than NIS with all that other stuff running around...
>
>Gerald
Hello Gerald:

>a standard
>Windows system comes with a lot of services running.

I have tried to lean out my system as much as possible by disabling or
making manual many of the services. But I have read your advice
carefully and will try to follow it. Your principles are those I share
and value. I've just been a bit slow to get an understanding of this
internet protocol stuff.

Many thanks...

Jack
Anonymous
May 24, 2004 1:48:45 AM

Archived from groups: comp.security.firewalls (More info?)

On Sat, 22 May 2004 19:15:08 -0700, Purl Gurl <purlgurl@purlgurl.net>
wrote:
Purl:
>Quickest and most easy solution would be to download
>a free version of Zone Alarm,

I'll copy your post and use it as my checklist. The free version of
Zone alarm sounds like an excellent idea.
Just checking what is happening in a crude manner, I think my
"problem" is likely just an innocent DNS thing, as you originally
suggested. Everytime I use the browser to go to any site, I get the
firewall message about port 53, which it resolves anyway. I did have a
rule written originally to permit the UDP packet for the DNS server
ending in .70, but not for .80. So probably all I have to do is edit
that rule. But I'll check it first.

I'm comfortable editing the registry, but I've found nothing in the
run or run once sections that looks suspicious. Also Win2k doesn't
have msconfig, but Mike Linn's "startup control" (freeware) does a
great job of doing the same thing and I use it regularly.

I will go through your list.
Thanks again to you and Gerald.

Jack
Anonymous
May 24, 2004 1:48:46 AM

Archived from groups: comp.security.firewalls (More info?)

JClark wrote:

> Purl Gurl wrote:

(snipped)

> Everytime I use the browser to go to any site, I get the
> firewall message about port 53, which it resolves anyway. I did have a
> rule written originally to permit the UDP packet for the DNS server
> ending in .70, but not for .80.

There ya go. You have two DNS servers. One is allowed.
One is blocked. Your primary DNS server appears to be
the one which is blocked. It fails and your system
falls back to your secondary, which is not blocked.


Purl Gurl
!