DNS queries in Windows XP Professional (SP2)

[Guest]

My firewall is logging frequent attempts by programs on my computer (such as
Lotus Notes, Firefox or the Spooler SubSystem App
(c:\windows\system32\spoolsv.exe) to communicate with (seemingly random)
servers on the internet on port 53. They are not attempting to access the
DNS servers configured in my network settings.

Does this mean that I have some sort of infection?

I have scanned my hard disk with several anti-virus and anti-malware
programs and have so far discovered nothing ominous.

Is there a way of discovering whether they are doing genuine dns queries or
not? I had a quick look at Ethereal for example. Unfortunately with my
level of knowledge the output was all greek to me. (Make that ancient greek
mixed with higher, pure mathematics.)

Are programs running on XP supposed to use some sort of Windows process to
do DNS lookups? Are they supposed to only query those DNS servers in the
network configuration (see ipconfig /all) or is it normal for every
(reputable) program to do their own lookups to their favourite DNS servers?

 

[Daniel Crichton]

twixt wrote on Tue, 21 Mar 2006 19:46:26 -0800:

My firewall is logging frequent attempts by programs on my computer (such
as Lotus Notes, Firefox or the Spooler SubSystem App
(c:\windows\system32\spoolsv.exe) to communicate with (seemingly random)
servers on the internet on port 53. They are not attempting to access the
DNS servers configured in my network settings.

Does this mean that I have some sort of infection?

I have scanned my hard disk with several anti-virus and anti-malware
programs and have so far discovered nothing ominous.

Is there a way of discovering whether they are doing genuine dns queries
or not? I had a quick look at Ethereal for example. Unfortunately with my
level of knowledge the output was all greek to me. (Make that ancient
greek mixed with higher, pure mathematics.)

Are programs running on XP supposed to use some sort of Windows process to
do DNS lookups? Are they supposed to only query those DNS servers in the
network configuration (see ipconfig /all) or is it normal for every
(reputable) program to do their own lookups to their favourite DNS
servers?

It's possible that your ISP has messed up some configuration on their DNS
and turned off recursion - if that's the case then their servers will return
the root server addresses for unknown domains and cause your DNS resolver to
find them itself. You can test this using nslookup from a command prompt. If
you can post the IP addresses of the DNS servers your PC is using I can take
a look for you if you like.

Dan

 

[Steven L Umbach]

I have noticed that on my laptop and would not worry about it if legitimate
applications are doing the requests. I have not really looked into it but my
guess is that the application is somehow [I don't know exactly how offhand]
specifying the DNS server to use instead of the default one specified in
tcp/ip properties. Ethereal would show if they are DNS queries or not sine
DNS queries are very simple. The DNS client asks the DNS server for the IP
address of a host computer and the DNS server usually either provides the IP
address or says it can not be found. There could be a risk if a malicious
application could tell your computer to use a bogus DNS server that has
bogus records that return the incorrect IP address to your computer. This
and other reasons are why it is very important to make sure you have an
https SSL secure website connection before you enter any sensitive
information into a web request. You will always see that bogus phishing
attempts to redirect you to a bogus website are not using https SSL when
asking for sensitive information.

You can try to use ping -a to find more information about the destination
server and DNS servers usually start with ns or such in their name. When you
do your scans for malware and spyware be sure you are using the latest
definitions for each program and that you also occasionally scan in Safe
Mode. --- Steve

http://www.arin.net/whois/ --- also use this link to find information on
public IP which may or may not be of help.

 

[Guest]

Dan and Steven, thanks for your posts.


Dan:

The DNS servers assigned by my ISP are 202.92.94.131 and 203.82.162.7. When
I try nslookup for valid hosts I do receive an answer but it is stamped
"Non-authoritative answer:". Whereas if I try a non-existent it returns
"can't find www.zxcv.com.au: Non-existent domain".


Steven:

Thanks for your reassurance.

I appreciate the tips about HTTPS and doing malware and spyware scans in
safe mode. I haven't ever scanned in safe mode (but I am religious about
keeping my definition files up to date). Is it possible for scans in normal
mode to miss things? I understand that it is sometimes necessary to go to
safe mode to get rid of certain infections once you've discovered them. But
would the same scans in normal mode miss things?

As to Ethereal, I have decided to learn greek. I think I've got the
capturing part down. I am using this capture filter: "dst port 53 and not
host 202.92.94.131 and not 203.82.162.7". So far Ethereal shows the captured
traffic as "Standard query A www.microsoft.com". Should I be satisfied with
the fact that Ethereal says it is a "Standard query"?

Thanks for your time.

I have noticed that on my laptop and would not worry about it if legitimate
applications are doing the requests. I have not really looked into it but my
guess is that the application is somehow [I don't know exactly how offhand]
specifying the DNS server to use instead of the default one specified in
tcp/ip properties. Ethereal would show if they are DNS queries or not sine
DNS queries are very simple. The DNS client asks the DNS server for the IP
address of a host computer and the DNS server usually either provides the IP
address or says it can not be found. There could be a risk if a malicious
application could tell your computer to use a bogus DNS server that has
bogus records that return the incorrect IP address to your computer. This
and other reasons are why it is very important to make sure you have an
https SSL secure website connection before you enter any sensitive
information into a web request. You will always see that bogus phishing
attempts to redirect you to a bogus website are not using https SSL when
asking for sensitive information.

You can try to use ping -a to find more information about the destination
server and DNS servers usually start with ns or such in their name. When you
do your scans for malware and spyware be sure you are using the latest
definitions for each program and that you also occasionally scan in Safe
Mode. --- Steve

http://www.arin.net/whois/ --- also use this link to find information on
public IP which may or may not be of help.

My firewall is logging frequent attempts by programs on my computer (such
as
Lotus Notes, Firefox or the Spooler SubSystem App
(c:\windows\system32\spoolsv.exe) to communicate with (seemingly random)
servers on the internet on port 53. They are not attempting to access the
DNS servers configured in my network settings.

Does this mean that I have some sort of infection?

I have scanned my hard disk with several anti-virus and anti-malware
programs and have so far discovered nothing ominous.

Is there a way of discovering whether they are doing genuine dns queries
or
not? I had a quick look at Ethereal for example. Unfortunately with my
level of knowledge the output was all greek to me. (Make that ancient
greek
mixed with higher, pure mathematics.)

Are programs running on XP supposed to use some sort of Windows process to
do DNS lookups? Are they supposed to only query those DNS servers in the
network configuration (see ipconfig /all) or is it normal for every
(reputable) program to do their own lookups to their favourite DNS
servers?

 

[Steven L Umbach]

I don't believe it is so much a problem with viruses/spyware not being
detected in regular mode but more that they may not be removed. Users often
assume that a virus/spyware scan takes care of everything without reading
the logs or report generated by the scan and an occasional scan in Safe Mode
is a good idea IMHO.

When you sniff packets for a DNS query they generally are a very simple two
line exchange. The computer requests the IP for the host and the DNS server
returns it. Below is such an example and it sounds like that is what you
are seeing. --- Steve

Time Source Destination
Protocol Info

0.825253 192.168.1.65 192.168.1.105 DNS
Standard query A server1-2000.umbach1.com
0.826257 192.168.1.105 192.168.1.65 DNS
Standard query response A 192.168.1.105

Dan and Steven, thanks for your posts.


Dan:

The DNS servers assigned by my ISP are 202.92.94.131 and 203.82.162.7.
When
I try nslookup for valid hosts I do receive an answer but it is stamped
"Non-authoritative answer:". Whereas if I try a non-existent it returns
"can't find www.zxcv.com.au: Non-existent domain".


Steven:

Thanks for your reassurance.

I appreciate the tips about HTTPS and doing malware and spyware scans in
safe mode. I haven't ever scanned in safe mode (but I am religious about
keeping my definition files up to date). Is it possible for scans in
normal
mode to miss things? I understand that it is sometimes necessary to go to
safe mode to get rid of certain infections once you've discovered them.
But
would the same scans in normal mode miss things?

As to Ethereal, I have decided to learn greek. I think I've got the
capturing part down. I am using this capture filter: "dst port 53 and not
host 202.92.94.131 and not 203.82.162.7". So far Ethereal shows the
captured
traffic as "Standard query A www.microsoft.com". Should I be satisfied
with
the fact that Ethereal says it is a "Standard query"?

Thanks for your time.

I have noticed that on my laptop and would not worry about it if
legitimate
applications are doing the requests. I have not really looked into it but
my
guess is that the application is somehow [I don't know exactly how
offhand]
specifying the DNS server to use instead of the default one specified in
tcp/ip properties. Ethereal would show if they are DNS queries or not
sine
DNS queries are very simple. The DNS client asks the DNS server for the
IP
address of a host computer and the DNS server usually either provides the
IP
address or says it can not be found. There could be a risk if a malicious
application could tell your computer to use a bogus DNS server that has
bogus records that return the incorrect IP address to your computer.
This
and other reasons are why it is very important to make sure you have an
https SSL secure website connection before you enter any sensitive
information into a web request. You will always see that bogus phishing
attempts to redirect you to a bogus website are not using https SSL when
asking for sensitive information.

You can try to use ping -a to find more information about the destination
server and DNS servers usually start with ns or such in their name. When
you
do your scans for malware and spyware be sure you are using the latest
definitions for each program and that you also occasionally scan in Safe
Mode. --- Steve

http://www.arin.net/whois/ --- also use this link to find information
on
public IP which may or may not be of help.

My firewall is logging frequent attempts by programs on my computer
(such
as
Lotus Notes, Firefox or the Spooler SubSystem App
(c:\windows\system32\spoolsv.exe) to communicate with (seemingly
random)
servers on the internet on port 53. They are not attempting to access
the
DNS servers configured in my network settings.

Does this mean that I have some sort of infection?

I have scanned my hard disk with several anti-virus and anti-malware
programs and have so far discovered nothing ominous.

Is there a way of discovering whether they are doing genuine dns
queries
or
not? I had a quick look at Ethereal for example. Unfortunately with my
level of knowledge the output was all greek to me. (Make that ancient
greek
mixed with higher, pure mathematics.)

Are programs running on XP supposed to use some sort of Windows process
to
do DNS lookups? Are they supposed to only query those DNS servers in
the
network configuration (see ipconfig /all) or is it normal for every
(reputable) program to do their own lookups to their favourite DNS
servers?

 

[Guest]

I think it's a bug in the firewall (ZoneAlarm). It is logging traffic to
other servers as traffic on port 53.

Whether this is purely a problem in logging or whether it is a fundamental
problem with the engine underneath, I have no idea. Anyway I'll take it up
with them.

In the meantime, anyone know of a good software firewall?

Dan and Steven, thanks for your posts.


Dan:

The DNS servers assigned by my ISP are 202.92.94.131 and 203.82.162.7. When
I try nslookup for valid hosts I do receive an answer but it is stamped
"Non-authoritative answer:". Whereas if I try a non-existent it returns
"can't find www.zxcv.com.au: Non-existent domain".


Steven:

Thanks for your reassurance.

I appreciate the tips about HTTPS and doing malware and spyware scans in
safe mode. I haven't ever scanned in safe mode (but I am religious about
keeping my definition files up to date). Is it possible for scans in normal
mode to miss things? I understand that it is sometimes necessary to go to
safe mode to get rid of certain infections once you've discovered them. But
would the same scans in normal mode miss things?

As to Ethereal, I have decided to learn greek. I think I've got the
capturing part down. I am using this capture filter: "dst port 53 and not
host 202.92.94.131 and not 203.82.162.7". So far Ethereal shows the captured
traffic as "Standard query A www.microsoft.com". Should I be satisfied with
the fact that Ethereal says it is a "Standard query"?

Thanks for your time.

I have noticed that on my laptop and would not worry about it if legitimate
applications are doing the requests. I have not really looked into it but my
guess is that the application is somehow [I don't know exactly how offhand]
specifying the DNS server to use instead of the default one specified in
tcp/ip properties. Ethereal would show if they are DNS queries or not sine
DNS queries are very simple. The DNS client asks the DNS server for the IP
address of a host computer and the DNS server usually either provides the IP
address or says it can not be found. There could be a risk if a malicious
application could tell your computer to use a bogus DNS server that has
bogus records that return the incorrect IP address to your computer. This
and other reasons are why it is very important to make sure you have an
https SSL secure website connection before you enter any sensitive
information into a web request. You will always see that bogus phishing
attempts to redirect you to a bogus website are not using https SSL when
asking for sensitive information.

You can try to use ping -a to find more information about the destination
server and DNS servers usually start with ns or such in their name. When you
do your scans for malware and spyware be sure you are using the latest
definitions for each program and that you also occasionally scan in Safe
Mode. --- Steve

http://www.arin.net/whois/ --- also use this link to find information on
public IP which may or may not be of help.

My firewall is logging frequent attempts by programs on my computer (such
as
Lotus Notes, Firefox or the Spooler SubSystem App
(c:\windows\system32\spoolsv.exe) to communicate with (seemingly random)
servers on the internet on port 53. They are not attempting to access the
DNS servers configured in my network settings.

Does this mean that I have some sort of infection?

I have scanned my hard disk with several anti-virus and anti-malware
programs and have so far discovered nothing ominous.

Is there a way of discovering whether they are doing genuine dns queries
or
not? I had a quick look at Ethereal for example. Unfortunately with my
level of knowledge the output was all greek to me. (Make that ancient
greek
mixed with higher, pure mathematics.)

Are programs running on XP supposed to use some sort of Windows process to
do DNS lookups? Are they supposed to only query those DNS servers in the
network configuration (see ipconfig /all) or is it normal for every
(reputable) program to do their own lookups to their favourite DNS
servers?

 

[Steven L Umbach]

My guess is it is nothing to worry about though you may want to search
Google for "Zone Alarm forum" for more specific information. I think ZA is
probably the best personal firewall for the vast majority of computer users
as it is fairly simple to setup and use which is important. If you want to
try something else I always liked Sygate as a more advanced personal
firewall. I don't know if it is free anymore however though it should still
be free to try. Sygate has extensive logging capabilities. See the link
below if you want to try it out. --- Steve

http://www.tucows.com/preview/213160

I think it's a bug in the firewall (ZoneAlarm). It is logging traffic to
other servers as traffic on port 53.

Whether this is purely a problem in logging or whether it is a fundamental
problem with the engine underneath, I have no idea. Anyway I'll take it
up
with them.

In the meantime, anyone know of a good software firewall?

Dan and Steven, thanks for your posts.


Dan:

The DNS servers assigned by my ISP are 202.92.94.131 and 203.82.162.7.
When
I try nslookup for valid hosts I do receive an answer but it is stamped
"Non-authoritative answer:". Whereas if I try a non-existent it returns
"can't find www.zxcv.com.au: Non-existent domain".


Steven:

Thanks for your reassurance.

I appreciate the tips about HTTPS and doing malware and spyware scans in
safe mode. I haven't ever scanned in safe mode (but I am religious about
keeping my definition files up to date). Is it possible for scans in
normal
mode to miss things? I understand that it is sometimes necessary to go
to
safe mode to get rid of certain infections once you've discovered them.
But
would the same scans in normal mode miss things?

As to Ethereal, I have decided to learn greek. I think I've got the
capturing part down. I am using this capture filter: "dst port 53 and
not
host 202.92.94.131 and not 203.82.162.7". So far Ethereal shows the
captured
traffic as "Standard query A www.microsoft.com". Should I be satisfied
with
the fact that Ethereal says it is a "Standard query"?

Thanks for your time.

I have noticed that on my laptop and would not worry about it if
legitimate
applications are doing the requests. I have not really looked into it
but my
guess is that the application is somehow [I don't know exactly how
offhand]
specifying the DNS server to use instead of the default one specified
in
tcp/ip properties. Ethereal would show if they are DNS queries or not
sine
DNS queries are very simple. The DNS client asks the DNS server for the
IP
address of a host computer and the DNS server usually either provides
the IP
address or says it can not be found. There could be a risk if a
malicious
application could tell your computer to use a bogus DNS server that has
bogus records that return the incorrect IP address to your computer.
This
and other reasons are why it is very important to make sure you have an
https SSL secure website connection before you enter any sensitive
information into a web request. You will always see that bogus phishing
attempts to redirect you to a bogus website are not using https SSL
when
asking for sensitive information.

You can try to use ping -a to find more information about the
destination
server and DNS servers usually start with ns or such in their name.
When you
do your scans for malware and spyware be sure you are using the latest
definitions for each program and that you also occasionally scan in
Safe
Mode. --- Steve

http://www.arin.net/whois/ --- also use this link to find information
on
public IP which may or may not be of help.

My firewall is logging frequent attempts by programs on my computer
(such
as
Lotus Notes, Firefox or the Spooler SubSystem App
(c:\windows\system32\spoolsv.exe) to communicate with (seemingly
random)
servers on the internet on port 53. They are not attempting to access
the
DNS servers configured in my network settings.

Does this mean that I have some sort of infection?

I have scanned my hard disk with several anti-virus and anti-malware
programs and have so far discovered nothing ominous.

Is there a way of discovering whether they are doing genuine dns
queries
or
not? I had a quick look at Ethereal for example. Unfortunately with
my
level of knowledge the output was all greek to me. (Make that ancient
greek
mixed with higher, pure mathematics.)

Are programs running on XP supposed to use some sort of Windows
process to
do DNS lookups? Are they supposed to only query those DNS servers in
the
network configuration (see ipconfig /all) or is it normal for every
(reputable) program to do their own lookups to their favourite DNS
servers?

 

[Steven L Umbach]

My guess is it is nothing to worry about though you may want to search
Google for "Zone Alarm forum" for more specific information. I think ZA is
probably the best personal firewall for the vast majority of computer users
as it is fairly simple to setup and use which is important. If you want to
try something else I always liked Sygate as a more advanced personal
firewall. I don't know if it is free anymore however though it should still
be free to try. Sygate has extensive logging capabilities. See the link
below if you want to try it out. --- Steve

http://www.tucows.com/preview/213160

I think it's a bug in the firewall (ZoneAlarm). It is logging traffic to
other servers as traffic on port 53.

Whether this is purely a problem in logging or whether it is a fundamental
problem with the engine underneath, I have no idea. Anyway I'll take it
up
with them.

In the meantime, anyone know of a good software firewall?

Dan and Steven, thanks for your posts.


Dan:

The DNS servers assigned by my ISP are 202.92.94.131 and 203.82.162.7.
When
I try nslookup for valid hosts I do receive an answer but it is stamped
"Non-authoritative answer:". Whereas if I try a non-existent it returns
"can't find www.zxcv.com.au: Non-existent domain".


Steven:

Thanks for your reassurance.

I appreciate the tips about HTTPS and doing malware and spyware scans in
safe mode. I haven't ever scanned in safe mode (but I am religious about
keeping my definition files up to date). Is it possible for scans in
normal
mode to miss things? I understand that it is sometimes necessary to go
to
safe mode to get rid of certain infections once you've discovered them.
But
would the same scans in normal mode miss things?

As to Ethereal, I have decided to learn greek. I think I've got the
capturing part down. I am using this capture filter: "dst port 53 and
not
host 202.92.94.131 and not 203.82.162.7". So far Ethereal shows the
captured
traffic as "Standard query A www.microsoft.com". Should I be satisfied
with
the fact that Ethereal says it is a "Standard query"?

Thanks for your time.

I have noticed that on my laptop and would not worry about it if
legitimate
applications are doing the requests. I have not really looked into it
but my
guess is that the application is somehow [I don't know exactly how
offhand]
specifying the DNS server to use instead of the default one specified
in
tcp/ip properties. Ethereal would show if they are DNS queries or not
sine
DNS queries are very simple. The DNS client asks the DNS server for the
IP
address of a host computer and the DNS server usually either provides
the IP
address or says it can not be found. There could be a risk if a
malicious
application could tell your computer to use a bogus DNS server that has
bogus records that return the incorrect IP address to your computer.
This
and other reasons are why it is very important to make sure you have an
https SSL secure website connection before you enter any sensitive
information into a web request. You will always see that bogus phishing
attempts to redirect you to a bogus website are not using https SSL
when
asking for sensitive information.

You can try to use ping -a to find more information about the
destination
server and DNS servers usually start with ns or such in their name.
When you
do your scans for malware and spyware be sure you are using the latest
definitions for each program and that you also occasionally scan in
Safe
Mode. --- Steve

http://www.arin.net/whois/ --- also use this link to find information
on
public IP which may or may not be of help.

My firewall is logging frequent attempts by programs on my computer
(such
as
Lotus Notes, Firefox or the Spooler SubSystem App
(c:\windows\system32\spoolsv.exe) to communicate with (seemingly
random)
servers on the internet on port 53. They are not attempting to access
the
DNS servers configured in my network settings.

Does this mean that I have some sort of infection?

I have scanned my hard disk with several anti-virus and anti-malware
programs and have so far discovered nothing ominous.

Is there a way of discovering whether they are doing genuine dns
queries
or
not? I had a quick look at Ethereal for example. Unfortunately with
my
level of knowledge the output was all greek to me. (Make that ancient
greek
mixed with higher, pure mathematics.)

Are programs running on XP supposed to use some sort of Windows
process to
do DNS lookups? Are they supposed to only query those DNS servers in
the
network configuration (see ipconfig /all) or is it normal for every
(reputable) program to do their own lookups to their favourite DNS
servers?