Why do I see outbound UDP packets to openDNS block site?
My system uses iptables firewall to block users directly accessing port 80,443. Instead the outbound connections for standard users are forced through privoxy proxy on 8118 and only privoxy can then access web on 80, 443 (the rules also allow established, related inbound packets).
In my logs I keep seeing dropped outbound UDP packets to openDNS block IP destination to destination port 80. What is the purpose of these packets? (I should mention that openDNS is otherwise working just fine and has the usual DNS port access etc and I can view the blocked page if go to banned domain). I'm just curious as to what these outbound UDP packets are on port 80 to the block site?
I could understand traffic to the block site on port 80 from requests privoxy makes to the block site when a blocked domain is attempted to be accessed, and I'm sure these type of requests are getting through. But given these other UDP packets are getting dropped, it suggests that it's not user's web access through privoxy that is initiating them...so what are they?
netfilter:out dropped: IN= OUT=eth1 SRC=192.168.1.79 DST=126.96.36.199 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51413 DPT=80 LEN=24
I've since discovered this is just transmission bittorrent client on SPT=51413. I have p2p blocked on websites (although the client occasionally gets used to download a torrent or two) . I have transmission must be trying to contact a torrent website and hits the block request when it asks for the DNS.......(maybe to update the tracker or something?) . Although not sure why it's using port 80 rather than going through the proxy on 8080, but I guess that is another issue....
The bittorrent client sends a DNS lookup for a domain, and OpenDNS returns 188.8.131.52 (hit-adult.opendns.com), because you have blocked this domain with your settings. Then the client connects to 184.108.40.206 as if it would be the real torrent which seems to be using udp/80. Why not. All normal.
Worried about what? And where are you seeing it?
That domain name indicates that a DNS lookup was blocked for a domain that is classified as an adult site, which is a category that I'm assuming you have blocked. Wherever you are seeing it, if nothing else it's an indication that OpenDNS is working correctly and as you configured it.
DNS requests are usually not raised by humans, and not necessarily by browsers only, but can come from any networking program. Especially, hit-adult.opendns.com indicates that a domain is blocked by category, whereas hit-block.opendns.com indicates individual domain blocking.
"I can see dozens of "system processes" hitting blocked sites"
Then you apparently have domains blocked which are needed by these system processes, e.g. for software patches, AV signatures or any other networking purpose.
You can find it out here: https://dashboard.opendns.com/stats/all/blockeddomains
"when my browser is closed and nothing else is running."
I commented already on the browser thing. This is irrelevant.
But else, so, all your devices in your network are totally switched off? Also the router?
"I'm also seeing thousands of domain hits per hour if I look at my opendns stats, even if we aren't home."
There are these possibilities:
- You leave your devices switched on, and there are programs performing much network activity.
- Or the time zone is wrong for your account: https://dashboard.opendns.com/myaccount/timezone - so you're seeing stats at the wrong time.
- Or someone is intruding your network, e.g via an unprotected WLAN.
- Or you have registered a wrong IP address with your dashboard network, catching someone else's DNS activity:
- Or a mixture of the before.
Hi there, thanks for the reply.
I meant no other programs on the PC are running when I'm seeing these domains get pinged (other than usual background stuff, e.g. AV).
I changed my router password and have been monitoring all devices connected via Wireless Network Watcher, so it's not someone else using my network. I verified that my timezone is correct. I also verified that my ip matches what is shown on openDNS as well as if I e.g. google what is my ip? (they are the same number)
I suppose what I am wondering is if I have some phantom program(s) that are hitting these blocked domains, and if so what to do about them. I ran a few malware/spybot programs and did catch some suspicious stuff, but I am still seeing the issue if I watch TCPView. Dozens of "system processes" pinging blocked ip's, and REALLY questionable stuff showing up in my openDNS logs. International domains like .ru, .jp, lots of adult stuff... places that nobody at our home is visiting for sure.
Just because no software is running with a user interface doesn't mean no software is actively running that accesses the internet to do routine tasks. AV software makes inquiries to servers for updates, things like Chrome and FireFox are polling the servers for updates, various pieces of software are looking for updates, backup software could be doing various things. File synch or streaming apps could also be running Without knowing what is running is installed on the computer, or knowing what some of these services are that are doing the activity, or even how your blocking is configured in OpenDNS it's impossible to say what is happening other than that something is happening.
There is a lot of garbage that gets installed on computers and other devices by users or manufacturers that isn't needed and that not only needlessly slows down the computer, but eats up network bandwidth. You said you found suspicious stuff, what kind of stuff was it and what did you do about it? If there is a device that is badly infected by malware some of it is nearly impossible to remove and sometimes the best bet is to copy the data off (and only the data) and reformat or replace the hard drive and start installing from scratch.
Just because no one is deliberately visiting a website doesn't mean that traffic to a domain isn't being generated. People greatly underestimate how much traffic is generated by ads and scripts on legitimate websites, including to international domains or adult domains. It's not unheard for ads on legitimate domains to even try to load malware on a computer. Just because you think no one is visiting those sites doesn't mean that what they are doing isn't generating traffic to their domain.
Yeah, I suppose that's the heart of the issue for me - should I format and reinstall everything because I have malware doing who knows what on suspicious domains, or is that just modern day internet life and everyone's computer is doing this?
I took an internet security course over the weekend, which really opened my eyes & prompted me to start paying more attention to this stuff. Part of that was signing up for OpenDNS, in order to ensure that no devices in the house will be able to connect to adult sites or any other place that e.g. my kids really shouldn't be going. So, now that OpenDNS is setup, it's surprising to see the number of sites that are still being blocked and/or hit daily, even though I know nobody on our network is trying to go to these places. These domains appear to be being hit by our main PC, by "system processes" that are running in the background.
"I am still seeing the issue if I watch TCPView. Dozens of "system processes" pinging blocked ip's,"
And here it comes again, this TCPView. So, don't watch it too much! You may not understand what you're seeing anyway.
Well, this is a very good tool, but not if this is the only one you use. Especially, this does not show your DNS traffic, because DNS is almost UDP and happens too quickly to be caught by this tool. It merely shows session based connections, i.e. almost TCP, not UDP. And the domains you're seing come from reverse DNS, i.e. TCPView builds them while raising PTR queries for the IP addresses being found, and these do not match anything with your OpenDNS stats. They all go under the *.in-addr.arpa entry. And therefore you'll even not be able to see most of those domains in your OpenDNS domain stats...
Therefore, in addition you'll have to use sniffer tools which are able to reflect your DNS traffic, not your other almost TCP based traffic only.
Try with something like http://www.nirsoft.net/utils/dns_query_sniffer.html or Wireshark to get a far better picture and details about your DNS traffic. And these details matches with what you see in your OpenDNS stats.
"These domains appear to be being hit by our main PC, by "system processes" that are running in the background."
Yeah, this exactly confirms and proves what Matt Wilson explained above (and otherwise). And because these system processes are doing that, why do you wonder about DNS activity when nobody is present? They simply act on their own. And there are networking applications which do not raise DNS lookups themselves, but go to these system processes to let them do it for them. So everything fits perfectly for your scenario and observations.
"even though I know nobody on our network is trying to go to these places."
As Matt and I have said, again, this is totally irrelevant. This is not how computers and the internet work. As I said, these are networking applications raising DNS lookups, almost not humans.
Please sign in to leave a comment.