Results 1 to 5 of 5

Thread: Strange DNS Behavior For Programs

  1. #1
    seamacke Guest

    Default Strange DNS Behavior For Programs

    I noticed some programs are blocked by ZoneAlarm from making DNS (Port 53) hits to IP addresses other programs have used on the computer. For example, if I went to a web site using Explorer, WinVNC.exe would try hitting the DNS port at that site. Other programs also exhibit this behavior whenever they use any kind of network access. For example, if I used Excel to open a worksheet on another computer on my LAN, Excel.exe would attempt to hit port 53 on that computer AND the website I used earlier with Explorer. WinVNC.exe server seems to be the most network active, so it makes the most hits to sites accessed by the computer (sometimes hundreds or thousands over time). They are all blocked but I'm wondering if it is a virus or something.

    Has anyone seen problems like this? I ran Virus/Spyware scans on each machine and came up with nothing. Also I looked all over the web but couldn't find anything about this problem. The problem is the same whether it is on the ZoneLabs suite or just ZoneAlarm, or on Win2k Pro or Win2k Server. Stopping WinVNC.exe seems to reduce the traffic (attempts) considerably. I tried a fresh download/install of that product but it makes no difference.

    I've got a few machines like this:

    - Win2k / Win2k Server
    - Office2000
    - Zone Suite or ZoneAlarm+Symantec
    - Standard LAN DSL router
    - TightVNC for LAN/VPN remote access

    Thanks,
    Sean

    Operating System:Windows 2000 Server/Adv Server
    Product Name:ZoneAlarm Internet Security Suite
    Software Version:6.1

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Strange DNS Behavior For Programs

    Hi and welcome to the ZA Users Forum

    Have the DNS servers of your provider been entered into the Zones and listed as trusted? This may solve the issue.

    DNS spoofing is a possiblity. The ewido from ewido.net either as the online scanner or the freeware may uncover a possible trojan if this is the case.

    Also the remote access software causing this by any chance? Does it occur if this soft is completely off?

    Oldsod
    Best regards.
    oldsod

  3. #3
    seamacke Guest

    Default Re: Strange DNS Behavior For Programs

    Thanks! I put in the DNS range for my two trusted DNS servers in the trusted zone, and I have blocked all activity to the internet zone except for port 80 and 443. I entered specific email servers into the trusted zone too.

    I'll try ewido.net to see if there is anything. If no then I'll turn off TightVNC server to see if that is the problem. While all programs seem to have this issue, WinVNC.exe generates the most attempts. I'll post again when I have tried these.

    Sean

  4. #4
    seamacke Guest

    Default Re: Strange DNS Behavior For Programs

    OK I tried ewido and it found a bunch of tracking cookies but nothing serious. I uninstalled TightVNC, restarted, and fired up some other applications like MsAccess, iTunes etc. and anything that uses a network connection also generates attempts at Port 53 on various IP addresses used by other programs. I'm stumped.

  5. #5
    seamacke Guest

    Default Re: Strange DNS Behavior For Programs (Fixed!)

    I fixed it. XP and Win2k leave the DNS Client Service on by default. I did some research on this and it appears that it isn't necessary if you have specified your DNS servers on the TCP/IP configuration pages. It does caching of sites visited, and also does a large amount of lookups for DNS out on the web.

    So, if ZoneAlarm users see many port 53 attempts by their machine, they may be able to just turn off the service to resolve the problem.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •