A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

Pls advise what is happening - IP addresses & port 53



 
 
Thread Tools Display Modes
  #1  
Old December 9th 05, 10:16 AM posted to ntl.discussion.broadband.cm,uk.telecom.broadband
Alix
external usenet poster
 
Posts: 3
Default Pls advise what is happening - IP addresses & port 53

BACKGROUND

I am on NTL with no other PCs or printers attached. I use
FILSECLAB's personal firewall.

I downloaded and installed "TreeWalk DNS" a week ago on my XP Pro
system. As I am in Europe I also installed the "ORSC Slave-Root"
package. I have to say I am not particularly familiar with the
technical details of DNS lookups.


OBSERVATIONS

Today I booted up. Before I manually launched anything I saw the
following entries shown below in my firewall monitor.

These entries have worried me because for the last week my PC has
been hesitating for several seconds before connecting to servers such
as (http://www.google.com or an NNTP news servrer) for the first
time. Subsequent connections seems as fast as usual.

Spybot (latest version with latest updates) reports nothing.


QUESTIONS FOR ANYONE

1: Which entries below are expected and which are unusual?

2: Have I got some subtle malware on my system?

3: How can I track back from these entries to find what programs
invoked NAMED.EXE to make these network connections?

4: Should I remove Treewalk or does it make no difference?


For the time being I have put these into my hosts file in order to
restrain them from connecting.


Thank you for any help.


-------- LIST OF SELECTED FIREWALL MONITOR ENTRIES --------

NOTES:

(1) There were often several entries for each IP address but I have
listed only one.
(2) My IP address with port 1025 was always shown for each of these
entries
(3) The program associated with each entry was always Treewalk's
NAMED.EXE.
(4) In most cases, 70 bytes were sent and none received but for
192.5.6.30 (for which the IP lookup keeps failing) there was as much
as 10 KB of traffic in each direction!
(5) Sadly I can't find out anything for 194.54.112.30/FLUETANO.

=====

38.113.2.100 :53
Jerky Network Services, Mass

199.166.26.100 :53
VRx Network Services Inc. server=JFWHOME.FUNHOUSE.COM
199.166.29.100 :53
VRx Network Services Inc. server=JFWHOME.FUNHOUSE.COM
199.166.31.100 :53
VRx Network Services Inc. server=JFWHOME.FUNHOUSE.COM

194.54.112.30 :53
FLUENTANO, Hostmaster Bergen Nett og Media, Norway

193.0.14.129 :53
Subnet for k.root-servers.net

192.5.6.30 :53
a.gtld-servers.net [sent 10595 bytes & received 11369 bytes]

192.26.92.30 :53
VeriSign Global Registry
192.26.92.32 :53
VeriSign Global Registry
192.33.14.30 :53
Verisign
198.41.0.4 :53
Verisign

202.12.29.59 :53
Asia Pacific Network Information Center, Australia

216.239.34.10 :53
Google [I have Google Desktop Search]

------- END LIST OF SELECTED FIREWALL MONITOR ENTRIES --------
  #2  
Old December 9th 05, 02:16 PM posted to ntl.discussion.broadband.cm,uk.telecom.broadband
Jim Howes
external usenet poster
 
Posts: 104
Default Pls advise what is happening - IP addresses & port 53

Alix wrote:
BACKGROUND

I am on NTL with no other PCs or printers attached. I use
FILSECLAB's personal firewall.

I downloaded and installed "TreeWalk DNS" a week ago on my XP Pro
system.


Which is what?
I'm guessing some sort of cacheing DNS server.
(googles.. bingo.)


(1) There were often several entries for each IP address but I have
listed only one.
(2) My IP address with port 1025 was always shown for each of these
entries
(3) The program associated with each entry was always Treewalk's
NAMED.EXE.


Port 53 (both UDP and TCP) is used for resolving names (i.e. www.bbc.co.uk
resolves to 212.58.224.125)

(4) In most cases, 70 bytes were sent and none received but for
192.5.6.30 (for which the IP lookup keeps failing) there was as much
as 10 KB of traffic in each direction!


70 bytes is a fairly typical size for a DNS lookup.
192.5.6.30 is indeed a.gtld-servers.net and is one of many top-level DNS
servers. This particular one is run by VeriSign Global Registry Services, and
is probably in Dulles, VA, USA.
The top level DNS servers are THE authoratative servers that get queried by DNS
clients. Usually, your DNS requests are forwarded up the tree from you to your
ISP, and so on until they reach either an answer, or the top level servers. If
the top level server doesn't know the answer, or who is likely to have the
answer, then whatever you are looking for does not exist, period.

Unless you have particularly good reasons to direct DNS queries to a tld server,
it is best not to, because such activities, if done by everyone, will rapidly
grind the entire net to a halt. And relying on just 'a.gtld-servers.net' to be
up 24/7 is counter-productive. There are many of them so that they can come up
and go down independantly.

(5) Sadly I can't find out anything for 194.54.112.30/FLUETANO.


Why would you want to? It's probably just a nameserver for some domain hosted
by "Bergen Nett og Media AS", in Bergen, Norway.

DNS is a complicated subject. If you don't understand it, it's best to just use
the DNS server addresses supplied to you by your ISP. If you must use a local
caching nameserver (and if you have multiple machines that are active most of
the time using some form of NAT or internet connection sharing, this is actually
a good thing, similarly if your ISP's DNS servers are goofy or slow), they
should 'play nice' and use your ISP DNS servers.

So the question is, Why did you download Treewalk DNS? Are NTL's DNS servers
completely zarked? (Stupid question, they belong to NTL..) You should probably
be using 194.168.4.100 and 194.168.8.100 from an NTL cable connection
  #3  
Old December 9th 05, 09:53 PM posted to ntl.discussion.broadband.cm,uk.telecom.broadband
Colin Wilson
external usenet poster
 
Posts: 850
Default Pls advise what is happening - IP addresses & port 53

So the question is, Why did you download Treewalk DNS? Are NTL's DNS servers
completely zarked? (Stupid question, they belong to NTL..)


I`ve heard it mentioned previously (on here as well I think !) that it
can help work around NTLs DNS servers being sh*te...

--
Please add the word "newsgroup" in the subject line of personal emails
**** My email address includes "ngspamtrap" and " ****
  #4  
Old December 12th 05, 09:54 AM posted to ntl.discussion.broadband.cm,uk.telecom.broadband
Spack
external usenet poster
 
Posts: 104
Default Pls advise what is happening - IP addresses & port 53

Alix wrote on Fri, 09 Dec 2005 10:16:15 GMT:

BACKGROUND

I am on NTL with no other PCs or printers attached. I use
FILSECLAB's personal firewall.

I downloaded and installed "TreeWalk DNS" a week ago on my XP Pro
system. As I am in Europe I also installed the "ORSC Slave-Root"
package. I have to say I am not particularly familiar with the
technical details of DNS lookups.

OBSERVATIONS

Today I booted up. Before I manually launched anything I saw the
following entries shown below in my firewall monitor.

These entries have worried me because for the last week my PC has
been hesitating for several seconds before connecting to servers such
as (http://www.google.com or an NNTP news servrer) for the first
time. Subsequent connections seems as fast as usual.


[snipped the rest]

You've installed a DNS server, and you're seeing the effects of having done
do. NAMED (the DNS process) running at boot is completely normal, as it's
installed as a service (that might give you a clue where to look to disable
it if you want). It's connecting to multiple IPs on port 53 to do DNS
lookups in response to what you're doing on your PC - web browsing, news
reading, etc. DNS lookups are a bit slower because you're resolving direct
to the root servers yourself, rather than letting a dedicated DNS server do
it which might have already cached the information you need for popular
sites. Those hosts you're seeing with port 53 open are due to them being
authoritative DNS servers for domains you are trying to connect to,
including a couple of Top Level Domain servers.

I'd advise you to remove Treewalk. I'd also advise not running your own DNS
server unless you know what you're doing. I've been running DNS servers here
at work for 11 years, and I'd never bother installing one on my home PC.

Dan


  #5  
Old December 16th 05, 02:30 AM posted to ntl.discussion.broadband.cm,uk.telecom.broadband
Alix
external usenet poster
 
Posts: 3
Default Pls advise what is happening - IP addresses & port 53

On Mon 12 Dec 2005 09:54:37, Spack
wrote:

[snipped the rest]

You've installed a DNS server, and you're seeing the effects of
having done do. NAMED (the DNS process) running at boot is
completely normal, as it's installed as a service (that might
give you a clue where to look to disable it if you want). It's
connecting to multiple IPs on port 53 to do DNS lookups in
response to what you're doing on your PC - web browsing, news
reading, etc. DNS lookups are a bit slower because you're
resolving direct to the root servers yourself, rather than
letting a dedicated DNS server do it which might have already
cached the information you need for popular sites. Those hosts
you're seeing with port 53 open are due to them being
authoritative DNS servers for domains you are trying to connect
to, including a couple of Top Level Domain servers.

I'd advise you to remove Treewalk. I'd also advise not running
your own DNS server unless you know what you're doing. I've been
running DNS servers here at work for 11 years, and I'd never
bother installing one on my home PC.


Thanks for the info mate.
 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
What is happening here???? Any ideia????? Carlos Arruda uk.telecom.broadband (UK broadband) 11 June 12th 05 04:46 PM
Static Ip's and BT - I have just recieved A BT router with 5 static IP Addresses. However, I want 5 computers in the office to use only one of the addresses. ery Difficult Question Nattasian uk.telecom.broadband (UK broadband) 3 July 13th 04 09:55 AM
What is the difference between a multi-port ASDL modem/router and one with a 4 port hub? Tim Lyons uk.telecom.broadband (UK broadband) 3 February 27th 04 07:07 AM
Port forwarding on Conexant 4 port adsl router Graham Russell uk.telecom.broadband (UK broadband) 14 October 24th 03 10:16 PM
Port forwarding on Conexant 4 port adsl router Graham Russell uk.telecom.broadband (UK broadband) 1 October 17th 03 12:09 PM


All times are GMT +1. The time now is 10:20 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2020 BroadbanterBanter.
The comments are property of their posters.