Advice pls on what is happening on my system

BACKGROUND

I am on a cable connection in the UK with no other PCs or printers attached. I use FILSECLAB's personal firewall.

I downloaded and installed "TreeWalk DNS" a week ago on my XP Pro system. As I am in the UK I also installed the "ORSC Slave-Root" package. I have to say I am not particularly familiar with the technical details of DNS lookups.

OBSERVATIONS

Today I booted up. Before I manually launched anything I saw the following entries shown below in my firewall monitor.

These entries have worried me because for the last week my PC has been hesitating for several seconds before connecting to servers such as

formatting link
or an NNTP news servrer) for the first time. Subsequent connections seems as fast as usual.

Spybot (latest version with latest updates) reports nothing.

QUESTIONS FOR ANYONE

1: Which entries below are expected and which are unusual?

2: Have I got some subtle malware on my system?

3: How can I track back from these entries to find what programs invoked NAMED.EXE to make these network connections?

4: Should I remove Treewalk or does it make no difference?

For the time being I have put these into my hosts file in order to restrain them from connecting.

Thank you for any help.

-------- LIST OF SELECTED FIREWALL MONITOR ENTRIES --------

NOTES:

(1) There were often several entries for each IP address but I have listed only one. (2) My IP address with port 1025 was always shown for each of these entries (3) The program associated with each entry was always Treewalk's NAMED.EXE. (4) In most cases, 70 bytes were sent and none received but for

192.5.6.30 (for which the IP lookup keeps failing) there was as much as 10 KB of traffic in each direction! (5) Sadly I can't find out anything for 194.54.112.30/FLUETANO.

=====

38.113.2.100 :53 Jerky Network Services, Mass

199.166.26.100 :53 VRx Network Services Inc. server=JFWHOME.FUNHOUSE.COM

199.166.29.100 :53 VRx Network Services Inc. server=JFWHOME.FUNHOUSE.COM 199.166.31.100 :53 VRx Network Services Inc. server=JFWHOME.FUNHOUSE.COM

194.54.112.30 :53 FLUENTANO, Hostmaster Bergen Nett og Media, Norway

193.0.14.129 :53 Subnet for k.root-servers.net

192.5.6.30 :53 a.gtld-servers.net [sent 10595 bytes & received 11369 bytes]

192.26.92.30 :53 VeriSign Global Registry 192.26.92.32 :53 VeriSign Global Registry 192.33.14.30 :53 Verisign 198.41.0.4 :53 Verisign

202.12.29.59 :53 Asia Pacific Network Information Center, Australia

216.239.34.10 :53 Google [I have Google Desktop Search]

------- END LIST OF SELECTED FIREWALL MONITOR ENTRIES --------

Reply to
Alix
Loading thread data ...

Yes.

Port 53 are DNS requests. Why are you using such tools, if you don't understand what they're monitoring?

The Windows-Firewall will be enough to be secure against network worms.

If you want to learn more about networking and the TCP/IP protocol familiy, Craig Hunt's "TCP/IP" (O'Reilly) and this one could help:

formatting link
Yours, VB.

Reply to
Volker Birk

Possibly to gain an understanding of what they are monitoring. It's true that driving a car is a bad idea if you don't know how to drive. But if you never drive one at all then you'll never learn how.

Jason

Reply to
Jason Edwards

What do these log entries mean? That your firewall dropped packets from these addresses/ports? For the sake of this post, I'll assume they do. If this is the case, then you need to configure your firewall to allow your machine to pass outbound traffic to UDP port 53 on any external IP address and to admit the replies from the same IP:port combinations.

DNS uses UDP port 53 (and sometimes TCP port 53) in its normal operation. Blocking this port will cause problems.

Reply to
Jerry Gardner

BUT why is the DNS server being asked to resolve IP addresses which have names that I have never heard of and whose services/products I have never taken no want to?

Reply to
Alix

Remember that. By the way, why did you do this?

Then the 'Grasshopper' book ('DNS & BIND', Paul Albitz and Cricket Liu, O'Reilly and Assoc., 4th edition, ISBN 0-596-00158-4, 622 pgs, US$45) is probably far to complex, though it has more than enough details. Section

5.1 of the Linux 'DNS-HOWTO' (find it at hundreds of sites on the web) should give the background you are missing.

Think it might have something to do with installing "TreeWalk DNS"? You would be right.

They look normal for a DNS server. Why are you running one?

PEBCAK (Problem Exists Between Chair And Keyboard)

Or at least disable it, and use your ISP's name servers like everyone else.

Those are mainly top level domain servers - which you should not be bothering. A normal name server caches this information resulting in a tiny fraction of the loads. Your box is asking the same questions all the time, rather than getting the information from cache. That explains your delays.

Old guy

Reply to
Moe Trin

Speak for yourself. There are plenty of reasons to set up and use your own DNS server rather than use your ISP's. Performance and reliability are one. My DSL provider, SBC, is notorious for its flakey, slow DNS servers, so I run my own. I get much better performance and nearly

100% reliability.

Setting up and managing a caching DNS server is not rocket science. Anyone with reasonable computer experience can do it.

Reply to
Jerry Gardner

This happens all the time when you browse the web. Sites typically link to ad servers (doubleclick.com is a common one) and graphics servers and any number of other things. Opening a single site may cause dozens of name lookups as each separate element on the page may be a link to a different site.

Reply to
Jerry Gardner

Jerky Network Services and VRx Network Services sound like ISPs or hosting services. They're probably hosting the DNS of sites that you were accessing. There's no reason you would recognize these hosting services, any more than you would expect to know the name of the trucking company that delivers meat to your grocery.

Reply to
Barry Margolin

Single system running windoze (almost certainly part time)

verses

Use 'ps auxw' and look at the amount of cache memory your name server is using. Your system is remembering stuff up to the TTL, while his 'Treewalk' does not. This dramatically improves response, and lessens the load on the top level domain servers. The cache on our servers at work (about 1700 systems) runs about 160 Megabytes, and no, most of our in-house name resolution is using NIS host maps.

Yeah - that's PacBell, and crap DNS is only a tip of the iceberg.

Do you get a reduced rate or charge them back for the lousy service?

Yes - I've been doing so since bind-4.9.3, but not everyone is running ISC Bind (or even DJBdns, MaraDNS, pdnsd, or Posadis). Even cable modems often run a caching name server, but not a standalone windoze box.

Old guy

Reply to
Moe Trin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.