Firewall blocking periodic UDP's from OpenDNS

Comments

5 comments

  • Avatar
    rotblitz

    These are clearly DNS responses from OpenDNS for your DNS queries being reported by the firewall.

    This has been reported more often on the old forums, e.g.
    https://forums.opendns.com/comments.php?DiscussionID=7493
    https://forums.opendns.com/comments.php?DiscussionID=9643
    http://forums.opendns.com/comments.php?DiscussionID=11871
    http://forums.opendns.com/comments.php?DiscussionID=13565

    It almost turned out that this is a badly behaving firewall which forgot that there's was an outstanding UDP response to a prior UDP request.

  • Avatar
    fiddleaway

    Helpful reading.  Among other useful things, a nomenclature handle, 'UDP port scan' I can use to look further ... (I know ...."this is not a port scan problem" ... understood)

    Actually mac Activity Monitor is showing regular 10 second bursts of traffic spaced at 20 second intervals  ... the repetition rate is even higher than what shows up in the firewall log, but maybe only a portion of the outgoing packets are going to OpenDNS server on port 53?  Activity monitor's defalut settings cause incoming packets to mask outgoing packets ... when I fixed that, it was obvious that the burst pattern consisted of two-way traffic ... and I'm guessing most of it initiated locally.

    I am really a babe-in-the-woods when it comes to investigating what might be generating all of this traffic ... it's just my home computer.  Could just as easily be ops normal, misconfiguration, malfeasance or a poorly designed firewall.  I originally started using OpenDNS a few years back mainly because my ISP's (att) DNS would intermittently fail to find common used web sites, and OpenDNS offered a consistent level of performance.  The only aspect of OpenDNS I know of that would periodically initiate traffic is the IP Updater ... but (naively?) I thought that would only trigger if my IP address changes (which I believe mostly just happens when I cycle power on my internet gateway ... nominally, once a day).

    Recent investigation of this problem led me to find out more about basic OpenDNS services, and I did discover 2 two-year-old threat reports; one for webbot activity and one for malware.  Not sure if these warnings mean my machine was a source of these problems or simply that attempts by these threats were thwarted by OpenDNS.  But if the former, perhaps I suppose they could be the root cause of the periodic traffic bursts I'm seeing.

    Other than that, I'm pretty stumped at how to look for what might be generating the periodic bursts.  If you have any advice on how to get started, it would be helpful.

    Thanks.

  • Avatar
    rotblitz

    A look into your OpenDNS stats should give you more insight about the DNS activity of your network. We can't know, it's not our network...

  • Avatar
    Brian Hartvigsen

    Connections to OpenDNS will have a destination port of 53, but the source port on your side will generally be a port in the 1024-65535 range.  If the DNS response took longer then expected (due to slow upstream responses), you are simply making a lot of requests, or are making a lot and behind a NAT, these could all lead to getting packets on a closed port or where your router has "forgotten" the end machine that specific request was mapped to.  As rotblitz mentioned, check your firewall settings, though I'd also recommended checking connection tracking settings if you are doing a lot of DNS requests or have other programs/systems running that make a lot of requests (bittorrent tends to be noisy for example.)

  • Avatar
    fiddleaway

    My ability to look at the things you mention is limited.  I understand why you are reluctant to get into details of how to investigate internal system settings of client networks.  my mac machine runs mac osx and I am familiar with using the 'Terminal' to investigate system behavior from a Unix shell.  There probably is a way for me to use the terminal to investigate which processes are generating the traffic .. and examine control elements within the traffic to reveal other useful information.  If you are reluctant to counsel me on how to proceed using some well known Unix services to investigate network traffic ("connection traffic settings"), I can understand that, and I'll ask elsewhere.  Both my gateway (router/modem) and computer have firewalls with limited parametric controls that I can examine and modify so I'll take a look at these.

    Thanks for the advice

Please sign in to leave a comment.