1. Home
  2. Networking Firewalls
  3. Unknown svchost.exe DNS port 53 network activity

Unknown svchost.exe DNS port 53 network activity

This is regarding a Windows XP Professional PC. I noticed heavy activity on my router as well as my PC LAN connection icon in the tray. After some digging appears to be a svchost process that is listening on port 53 with a remote address of my ISP's DNS server. My router is not set to forward DNS traffic to a specific system, and I don't run any DNS servers.

I am worried about this process since there's a lot of data being transmitted/received and it's starting to introduce delays with my web connections, and seems to be affecting available bandwidth as well.

The following have not identified any viruses or other malware:

AntiVir antivirus Avast antivirus Spybot S&D Ad Aware AVG antispyware

I got the following information for the related process from Port Explorer

Command line: c:\\windows\\system32\\svchost.exe -k Network Service

Killing this process returns everything to "normal" with port 53 traffic stopped and all other applications working fine.

Any help explaining this activity and how to disable it would be greatly appreciated. Is this something normal with Windows I may have missed?

Thanks, Raffi

Reply to
Raffi
Loading thread data ...

No traffic can come to the machine, unless you have opened the inbound port by using port forwarding on the router, which allows unsolicited in bound traffic to reach a machine . The machine may or may not be listening on the forwarded port. On the other hand, if a computer has made a solicitation for inbound traffic by sending outbound traffic to a remote IP, then solicited traffic is going to be let back through the router or a firewall, because the machine behind them made the solicitation.

Svchost.exe which should be running out of the Windows/System32 directory, otherwise it's a Trojan, does nothing on its own. It does the bidding for the O/S and its programs and other programs as well, it does the hosting. Svchost allows the communication between machines in a LAN or WAN situation. However, you should be aware of what Svchost is connecting to as malware can be hosted by Svchost.exe as well.

I suspect the machine was just communicating with the ISP DNS servers as the machine with it's O/S have made the solicitation for traffic

Malware can circumvent and defeat every last bit of it.

formatting link

How can that be? If you cutoff the traffic on port 53, then how is any machine with an application running where a URL is invloved, look up the WAN IP that belongs to the URL, an application such as a browser accessing the Web site that WAN IP points to? That's what the ISP''s Domain Name Server is for is to take a URL that has been given on its network and convert it to WAN IP so that an application can use the IP to go to a site.

It could be with a browser, that any Web page you're accessing has been cached on the machine and is why you're thinkng nothing is wrong.

If you suspect something, then use the proper tools and look for yourself. A tool like Process Explorer will let you look inside any running process and see the exe, dll, ect, ect or processes that are being hosted by a process such as Svchost.exe. I suspect there is nothing wrong with communications between a computer and the ISP's DNS server.

Long

formatting link
Short

formatting link

Reply to
Duane Arnold

Reply to
Tony

Maybe the DNScache service? It shouldn't be listening on port 53, though. What's the output of "netstat -anob"?

Usually you'd inspect the traffic with a sniffer (e.g. Wireshark [1]) to get an idea of what's actually transmitted.

[...]

Could indeed be DNScache, but check the netstat output to make sure.

[1]
formatting link
cu 59cobalt
Reply to
Ansgar -59cobalt- Wiechers

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.