ISP talking to port 53?
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: ISP talking to port 53?

  1. #1
    Junior Member
    Join Date
    Jul 2005
    Posts
    14

    ISP talking to port 53?

    I have noticed since I changed ISP that my routers WAN light goes crazy and does not stop. A few times my personal firewall alerted me to an incomeing conection from my isp to port 53. I know from google this port has to do with the DNS, possibly my routers DNS. Heck I dont even know if my router has its own DNS service but maybe I should check. Anyway does anyone know what reason an ISP would be conecting to its customers?

    I have the DLINK DI-524 Rev A if that makes any difernce but on google I read about others haveing this problem with various Routers/ISP and the only explanations I can find are worm trafic which Im sure my ISP would not be infected with a worm.

    also is there a way to view a log for all router trafic, not just the ids log. Router still blinking like crazy even after I deny the incomeing 53 connections.

    Anyone have some ideas on this.

  2. #2
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177

    Re: ISP talking to port 53?

    Originally posted here by sposes
    ...and the only explanations I can find are worm trafic which Im sure my ISP would not be infected with a worm.

    also is there a way to view a log for all router trafic, not just the ids log. Router still blinking like crazy even after I deny the incomeing 53 connections.

    Anyone have some ideas on this.
    If there is any way to view logging for all traffic through this "router" it would be listed somewhere around here.

    Port 53 connections or traffic may (doubtful, but MAY) be made as responses to your own port 53 queries outwards.

    Also, I am certainly sure your ISP *would* be infected with a worm. The problem with the statement there is "infected". I don't think your ISP is infected per se...but it is very possibly passing worm traffic to you, since they probably don't block traffic that "might" be from a worm, only traffic that is "certainly" from a worm (and not even that, perhaps.)

    Basically, the general advice would be "get over it". The background traffic of worms, viruses, and port scan's throughout the internet these days is not to be worried over. Just as soon should you worry about airliners passing overhead, dropping chunks of 'blueice' on your head to do you in. *shrug*

    Hope that helps.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  3. #3
    Junior Member
    Join Date
    Jul 2005
    Posts
    14
    Thanks, ok so I can now understand that it can be normal to expect incomeing port 53 trafic, so Ill ignore it as sugested, however what about my routers wan light blinking non stop, when I am not downloading anything and the computer/s are off. Have you heard of this kinda thing, since I suspect its some kinda comunication from my isp but is driveing me nuts.

    I had viewed dlinks suport many times but unfortunately it seems the only log I can view is the built in ids and only shows me droped packets and detected atacks, I was hopeing there was a third party software that can alow me to see the trafic, since Ive tryed sniffers before and they only seem to pick up on the trafic that goes in and out of my computer, but not the trafic that is soley handled by my router.

  4. #4
    Junior Member
    Join Date
    Jul 2005
    Posts
    10
    but it may *not* be normal to be recieving traffic on this port.

    If you suspect that it is some kinda communication from your ISP, make a rule for your firewall (software) to block both TCP 53 and UDP 53 both incoming/outgoing for all hosts. if it is your ISP connection (which I doubt), you will not be able to use the net. if so you can simply delete the rule unblocking the ports. if you can still connect, keep them blocked. this is basic trial and error and you don't have to worry about locking yourself out of the internet (simply un-do the firewall rule if you need to).

    also about the packet sniffer. you aren't getting much out of it likely because your router is blocking the ports you want to see. you can fix this by forwarding those ports in your router to your current private IP address (would be a 192.168 address). you can find your current private IP address by going to Start > Settings > Control Panel > Network and choose your current NIC card out of the list and click "Properties". there will be an "IP Address" tab, click it. the number filled in there is your current IP address, and that is the address that you want to forward ports to (NOT your router's IP address). this will open up traffic for the specific ports.

    forward TCP port 53 and UDP port 53 to your private IP address. then start up the packet sniffer and you will be able to see exactly what is going on on those ports. but make sure your software firewall still isn't blocking those ports (that is if you set it to) as if so you still won't be seeing traffic coming though those ports (same deal as your router blocking them).


    Peace.

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    to block both TCP 53 and UDP 53 both incoming/outgoing for all hosts
    This is bad advice. If you write a rule to block *all* TCP/UDP 53 traffic, you've just killed DNS for all of your internal hosts. I hope you like visiting sites by IP because if you do this, that's the only way you're getting to them.

    You can get a packet dump and then decide if you want to block traffic from that *specific* host, not all hosts. Do you know what a normal DNS transaction looks like? If not, look at some samples.

    To get you started, if you see TCP DNS queries, then this is indicative of a zone transfer between two name servers. If you see UDP DNS queries, this is indicative of normal name resolution requests generated by a host to a DNS server.

    Whatever you decide to do, just understand the impact before going nuts with rules and such. A simple phone call to your ISP may be the quickest route to solving your mystery. Sometimes old technology works wonders.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    sposes, I may not have been clear. I wasn't saying
    "All Traffic Inbound To 53 *IS* acceptable..." sorry if you got that message. As th13 indicates this could be necessary.

    It really depends on how your D-Link works for DNS with your LAN, and some other things.

    The point I was mostly addressing was the WAN light. If you don't like it blinking all the time, there are two options...#1 tape-over/color-over/break the bulb so you can't see it blink, or #2 disconnect your D-Link from the internet.

    There is absolutely nothing you can do if it is connected 'to the cloud' as we say. There *will* be stray packets hitting it, and some of them *will* be hostile, although probably blind (as in, not directed at you necessarily, but generally malicious and you had the fortune to recieve one.)

    That's life on the internet. Nothing you can do about it, if you want to plug in to the rest of the world.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  7. #7
    Junior Member
    Join Date
    Apr 2005
    Posts
    9
    Originally posted here by sposes
    ... however what about my routers wan light blinking non stop, when I am not downloading anything and the computer/s are off. Have you heard of this kinda thing, since I suspect its some kinda comunication from my isp but is driveing me nuts.
    Even if you block the traffic on your router/firewall, your WAN activity light will still blink because the packets are still coming across the wire. If you see a lot of WAN activity AND a lot of LAN activity, then you have something to worry about because that means the packets are getting through. WAN activity is normal - you just don't want to see that traffic on the other side of the router/firewall.

  8. #8
    Junior Member
    Join Date
    Jul 2005
    Posts
    14
    Thanks to all, I will be doing some research into DNS as up till now ive only known two things about it, that it resolves domain names into ip and that it works on port 53. While reading on google yesterday I came across discussions of zone transfers and when I tryed to find out more info about it, I was unsuccessfull. If someone can point me to a site that explains zone transfers that would be greatly apreciated. Im gona try some of the sugestions and see what kind of info I can dig up.

    Aditionaly, thanks thehorse13 for makeing the UDP 53 and TCP 53 clear, Now I have something to go on. Many thanks to everyone.

  9. #9
    Junior Member
    Join Date
    Jul 2005
    Posts
    10
    Originally posted here by thehorse13
    This is bad advice. If you write a rule to block *all* TCP/UDP 53 traffic, you've just killed DNS for all of your internal hosts. I hope you like visiting sites by IP because if you do this, that's the only way you're getting to them.

    You can get a packet dump and then decide if you want to block traffic from that *specific* host, not all hosts. Do you know what a normal DNS transaction looks like? If not, look at some samples.

    To get you started, if you see TCP DNS queries, then this is indicative of a zone transfer between two name servers. If you see UDP DNS queries, this is indicative of normal name resolution requests generated by a host to a DNS server.

    Whatever you decide to do, just understand the impact before going nuts with rules and such. A simple phone call to your ISP may be the quickest route to solving your mystery. Sometimes old technology works wonders.

    --TH13
    I think you misread my post.

    this is basic trial and error and you don't have to worry about locking yourself out of the internet (simply un-do the firewall rule if you need to).
    this is what I would have done, found that I could no longer browse sites by hostname and un-done the rule. you will live a boring life if you are afraid to take small risks like this. instead of overwhelming someone with techie words, try a little trial and error. this is HOW you learn. if he had of done this he would have found that 53 is an essential port. so would have I. I would have un-done the rule and everything would have been fine and dandy again. if you are using a software firewall that will not let you undo custom rules you should start looking for an alternative IMO.


    Peace.

  10. #10
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    this is what I would have done, found that I could no longer browse sites by hostname and un-done the rule. you will live a boring life if you are afraid to take small risks like this. instead of overwhelming someone with techie words, try a little trial and error. this is HOW you learn. if he had of done this he would have found that 53 is an essential port. so would have I. I would have un-done the rule and everything would have been fine and dandy again. if you are using a software firewall that will not let you undo custom rules you should start looking for an alternative IMO.
    Try using this argument when you drop the net connection for a multimillion dollar company


    sorry, this is a stupid argument. there is no point in taking risks when the result is a guarantee. Its like saying "im going to try not breathing, becasue maybe this time I can live without oxygen, so what if millions have died from suffocation"


    some people dont learn, average people learn from their mistakes, wise people learn from the mistakes of others
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •