Results 1 to 6 of 6

Thread: vsmon access to blocked DNS server

  1. #1
    johnnnn Guest

    Default vsmon access to blocked DNS server



    Hello




    While investigating why my computer should want to access a wide variety of IPs belonging to a company named Akamai Technologies, I have noticed the following:




    Zone Alarm s vsmon.exe seems to attempt to access one of my ISP s DNS servers, well specifically the one that I blocked.




    There are three DNS servers. I decided to block one of them as the number is not in sequence with the other two. Since
    Im forced
    to hard code them into Zone Alarm to get things working, my thinking is that should
    my ISP
    decide to change IPs, they are more likely to change this odd-ball IP.




    Anyway, while there are absolutely no applications running and I m doing absolutely nothing, vsmon is accessing the blocked DNS server (well according to my Port Explorer). And as Ive blocked it, the blocks are showing in ZoneAlarms log. Any ideas why?




    Regards, John

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Pro

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: vsmon access to blocked DNS server

    Akamai Technologies is actaully a cached server network for almost 40% of the internet. It is impossible for large servers to handle the load themselves, so they the information requested by users with pc and others servers then get the info from akamai. Yahoo, microsoft, some security firms. zone alarm and many others use akamai.

    http://en.wikipedia.org/wiki/Akamai_Technologies


    This is OK to be accessed.

    The ZA will access your provider's dns servers to do checks on IP's and various connections. This is normal for firewalls- they must make sure the trafficto and from the sites is correct. The firewall can only verify the correctness by actually doing dns checks. This activity is all normal.

    The dns servers of your provider can be found in the ipconfig /all command and if the provider has three servers, then use all three. One is at least a http dns look up server and one is at least a email server. Do you knwo which one is which?

    Make sure the ZA is properly configured. If your provider does cahmage the dns IP's then the logs of the ZA will show the changes. Plus the ipconfig /all with show it in a flash. The usual advice I give is this:

    Make sure your DNS and DHCP server IP's are in your Firewall's Trusted zone. Finding DNS and DCHP servers, etc

    1. Go to Run type in command , hit 'ok', and type ipconfig /all then press enter. In the returned data list will be a line DNS and DHCP Servers with the IP address(s) listed out to the side.
    2. In ZA on your machine on the Firewall>Zones tab click Add and then select IP Address. Make sure the Zone is set to Trusted.
    3. Click OK and then Apply and see if that works to fix it.
    4. The localhost (127.0.0.1) must be listed as Trusted.
    5. The Generic Host Process (svchost.exe) must have server rights for the Trusted Zone.
    Plus it must have both Trusted and Internet Access.

    http://zonealarm.donhoover.net/dnsdhcp.html

    Oldsod
    Best regards.
    oldsod

  3. #3
    johnnnn Guest

    Default Re: vsmon access to blocked DNS server

    Akamai:
    Yep I already read about Akamai. It s only recently though that I see outgoing traffic to Akamai (to port 80 and also 137!) blocked in the ZA log. So I thought of the possibility that something got onto my PC, as I also read that Akamai download content. After some investigation, I believe the Akamai traffic - that ZA decides to block - is initiated by content in pages downloaded by my browsing. Note, I am not explicitly blocking Akamai, ZA itself decides to block it. Its not causing me any problem, so I will ignore that blocked traffic.
    DHCP and DNS:
    Originally I didn t have any DHCP or DNS problems, when using just one PC. When I added a second PC - Internet connection sharing and file sharing only within the LAN - my problems started. There were two problems as follows:
    The first (DHCP) problem - the second PC couldn t get an internet address to get out on the internet. I resolved this by adding an expert rule allowing outgoing UDP from My Computer port 68 to 255.255.255.255 port 67. This resolved the DHCP problem on my second PC.
    The second (DNS) problem the second PC couldn t obtain resolved host addresses so it couldn t find any site on the internet. I resolved this by adding two of my ISP DNS servers to the trusted zone.
    I didn t appreciate that I should add DHCP and DNS servers to the trusted zone, as everything had worked fine HTTP and E-mail - without them defined in any zone, when I was using only one PC.
    The reason I didn t add the 3rd DNS to the trusted zone is I m a stubborn person and I simply didn t like the look of it! The addresses are 62.231.32.10, 62.231.32.11 and 89.124.172.10. Also I think I got a bit paranoid. Most of the unwelcome traffic comes from my ISP address space. It s only now that I appreciate why thanks to your earlier suggestion - it s because my IP keeps changing, so I m mistaken for some super duper peer to peerer or surfer extraordinaire or another server.
    I have no information regarding the specific purpose of any of the above DNS servers (which one may be HTTP or E-mail or other). I assumed that the 2nd and 3rd servers were simply backup/supporting servers. Anyway, everything is working fine at the moment, including E-mail.I will consider adding the 3rd server later.
    Localhost 127.0.0.1:
    I still use my old pal JunkBuster - to filter-out junk, block sites, block file extensions to avoid bad downloads, IP forwarding etc. It likes to use Localhost proxy address 127.0.0.1. I was testing something recently, and attempted to block Internet Access for a certain program in ZA Program Control. The program was not blocked from accessing the internet. At the time, I had Localhost in the Trusted Zone. I moved Localhost to the Internet Zone, and the block worked. So I decided to leave Localhost in the Internet Zone, in case programs that go to the Internet via JunkBuster might be evading ZA Program Control permissions.
    Generic Host Process:
    I block Internet Server in ZA Program Control for Generic Host Process and Message Queuing Service and allowed everything else for these two processes. Note that by default in learning mode - ZA allows Internet Server for Generic Host Process. Maybe in learning mode with no prompting ZA may allow whatever is requested.
    Sorry for the long-winded reply.

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: vsmon access to blocked DNS server

    Hi

    Port 137 indicates netbios. Disable netbios in the properties of the TCP/IP propweties of the network connection properties. That should put a stop to the OS broadcasts. Port 80 is acceptable as it is http.

    Find and make sure the allow multicast is checked in the custom or properties button.
    The problem can be resolved sometimes by checking the allow outgoing DHCP and DNS as well. Outgoing is OK, since it does that anyways. It is the inbound that is always a concern, since this would open the ports and that is a security risk.

    There is no security risk with the DNS, DHCP and the localhost set as Trusted. These are secure and are in fact not a true internet- the connections are direct to the PC and no internet is actually involved. It is actually a private network from your provider to you. If you can't trust your provider, who can you trust?

    If your IP changes to a new and bad IP (previous owner was a P2P demon), try a IP release and IP renew. You should be able to get another one, if your assigned IP is dynamic and not static and the router is not doing the actual DNS server role. (use command ipconfig /release and then ipconfig /renew).
    But the ZA should detect/stop the internet intrusions and furthermore the router itself should drop all unwanted inbound connections.

    The DNS server of your provider are not related to assigned IP's on their network, so entering the actual IP of the DNS and not the range of your provider is OK.

    Alternative to using your providers DNS servers isto use openDNS (opendns.com). It is free. They have larger caching and hence their lookups tend to be faster. Plus they update the caches more times than many providers, so new or changed address are faster. They have more phishing filters, so they can be even safer than many providers. So far they have manintained the good efforrt.

    The Internet Security Zone slider should be at High , but the Trusted Security Zone slider should be at Medium.

    Generic Host Process (svchost.exe) should not have Internet server, just Trusted server.

    Message Queuing Service is only needed for servers to distribute across the windows networked systmes. I am unsure if you even need this to go out for even the LAN, let alone the internet access.

    Junkbuster.. not Privoxy? Haven't changed it yet?
    I'm curious to know if the original junkbuster file will work in the Privoxy.
    I'm using Privoxy chained to Webwasher with mixed results, but haven't really worked on the Privoxy file yet, so the bugs have yet to be worked out. I just finished making a good filter file for the webwasher and the opera urlfilter.ini, so the privoxy project is next on the list.

    Very possible the ZA saw the junkbuster internet access and not the application using the junkbuster - that would explain that. But the program control is set at High? You could set up an expert rule to block that applications access to the localhost and block the access to the Trusted/Internet Zone- that would hold it off from any access.

    Many applications have no predefined list of servers /IP to use and must still do DNS lookups or use windows to do the dns lookups for them. But all applications can be forced to do there own DNS lookups once the DNS Client service is disabled (just lock in the porper DNS IP's n the properties of the network connections first before doing so!).

    "Sorry for the long-winded reply."
    Oh really, I like to make long-winded reply. myself, if you have noticed. No apologies are needed. It is always better to ask or say something then remain silent. Even the most obvious questions are always welcome.

    Oldsod

    Message Edited by Oldsod on 08-01-2007 06:58 AM
    Best regards.
    oldsod

  5. #5
    johnnnn Guest

    Default Re: vsmon access to blocked DNS server

    Hi again
    Client for Microsoft Networks / File and Printer Sharing and NetBIOS over TCP/IP are all active on my second network card (the LAN gateway) for local file sharing. I'm careful not to have them on the internet connection. The reason I put a ! mark after port 137 was to indicate surprise about seeing an attempted NetBIOS outbound. I presume if it wasn t blocked by ZA, it would have failed. Strange, it s something you might expect from a Trojan.
    I believe I tried allowing outgoing DHCP and DNS but not multicast in Custom Firewall Settings, but it didn t help. Anyway its all working with DNS servers in Trusted Zone and a simple expert rule for DHCP.
    As far as trusting my ISP is concerned, the only thing I trust about the company is that they will send me a monthly bill, they re pretty **bleep** to put it mildly.
    Whats that "saying", the devil you know may be better than the devil you don t know! The devil in this case is my IP address. It changes frequently, and they're all noisy. Sometimes I force a renewal, it can take many attempts before I get a change. Maybe I'm on a small segment of noisy IPs. I don t have a router... yet.
    I think I still have the Junkbuster zip file I downloaded many moons ago, can sent you the original block-file if you like. Thanks, I need a replacement for Junkbuster. I didn t know about Privoxy, will have a look at it.
    Regards, John

  6. #6
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: vsmon access to blocked DNS server

    Everything seems OK. The netBIOS outbound is normal with your set up and it just goes to the LAN and not internet, so no real security risk is even present.

    How true about providers. But using alternative dns servers means still using the present provider's internet access. They seem faster and are more secure than my own providers which is Rogers (Canada).

    Privoxy is an updated version of JunkBuster. It is cross platform, so some of the best advice is found in linux forums.

    http://www.neilvandyke.org/privoxy-rules/

    The Privoxy seems improved and has a lot more work with it. But does seem nice and once it has some effort put into it, it can have very strong possibilities.

    Cheers,

    Oldsod
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •