Pls advise what is happening - IP addresses & port 53

BACKGROUND

I am on NTL with no other PCs or printers attached. I use
FILSECLAB's personal firewall.

I downloaded and installed "TreeWalk DNS" a week ago on my XP Pro
system. As I am in Europe I also installed the "ORSC Slave-Root"
package. I have to say I am not particularly familiar with the
technical details of DNS lookups.


OBSERVATIONS

Today I booted up. Before I manually launched anything I saw the
following entries shown below in my firewall monitor.

These entries have worried me because for the last week my PC has
been hesitating for several seconds before connecting to servers such
as (http://www.google.com or an NNTP news servrer) for the first
time. Subsequent connections seems as fast as usual.

Spybot (latest version with latest updates) reports nothing.


QUESTIONS FOR ANYONE

1: Which entries below are expected and which are unusual?

2: Have I got some subtle malware on my system?

3: How can I track back from these entries to find what programs
invoked NAMED.EXE to make these network connections?

4: Should I remove Treewalk or does it make no difference?


For the time being I have put these into my hosts file in order to
restrain them from connecting.


Thank you for any help.


-------- LIST OF SELECTED FIREWALL MONITOR ENTRIES --------

NOTES:

(1) There were often several entries for each IP address but I have
listed only one.
(2) My IP address with port 1025 was always shown for each of these
entries
(3) The program associated with each entry was always Treewalk's
NAMED.EXE.
(4) In most cases, 70 bytes were sent and none received but for
192.5.6.30 (for which the IP lookup keeps failing) there was as much
as 10 KB of traffic in each direction!
(5) Sadly I can't find out anything for 194.54.112.30/FLUETANO.

=====

38.113.2.100 :53
Jerky Network Services, Mass

199.166.26.100 :53
VRx Network Services Inc. server=JFWHOME.FUNHOUSE.COM
199.166.29.100 :53
VRx Network Services Inc. server=JFWHOME.FUNHOUSE.COM
199.166.31.100 :53
VRx Network Services Inc. server=JFWHOME.FUNHOUSE.COM

194.54.112.30 :53
FLUENTANO, Hostmaster Bergen Nett og Media, Norway

193.0.14.129 :53
Subnet for k.root-servers.net

192.5.6.30 :53
a.gtld-servers.net [sent 10595 bytes & received 11369 bytes]

192.26.92.30 :53
VeriSign Global Registry
192.26.92.32 :53
VeriSign Global Registry
192.33.14.30 :53
Verisign
198.41.0.4 :53
Verisign

202.12.29.59 :53
Asia Pacific Network Information Center, Australia

216.239.34.10 :53
Google [I have Google Desktop Search]

------- END LIST OF SELECTED FIREWALL MONITOR ENTRIES --------

Alix wrote:
> BACKGROUND
>
> I am on NTL with no other PCs or printers attached. I use
> FILSECLAB's personal firewall.
>
> I downloaded and installed "TreeWalk DNS" a week ago on my XP Pro
> system.

Which is what?
I'm guessing some sort of cacheing DNS server.
(googles.. bingo.)

>
> (1) There were often several entries for each IP address but I have
> listed only one.
> (2) My IP address with port 1025 was always shown for each of these
> entries
> (3) The program associated with each entry was always Treewalk's
> NAMED.EXE.

Port 53 (both UDP and TCP) is used for resolving names (i.e. www.bbc.co.uk
resolves to 212.58.224.125)

> (4) In most cases, 70 bytes were sent and none received but for
> 192.5.6.30 (for which the IP lookup keeps failing) there was as much
> as 10 KB of traffic in each direction!

70 bytes is a fairly typical size for a DNS lookup.
192.5.6.30 is indeed a.gtld-servers.net and is one of many top-level DNS
servers. This particular one is run by VeriSign Global Registry Services, and
is probably in Dulles, VA, USA.
The top level DNS servers are THE authoratative servers that get queried by DNS
clients. Usually, your DNS requests are forwarded up the tree from you to your
ISP, and so on until they reach either an answer, or the top level servers. If
the top level server doesn't know the answer, or who is likely to have the
answer, then whatever you are looking for does not exist, period.

Unless you have particularly good reasons to direct DNS queries to a tld server,
it is best not to, because such activities, if done by everyone, will rapidly
grind the entire net to a halt. And relying on just 'a.gtld-servers.net' to be
up 24/7 is counter-productive. There are many of them so that they can come up
and go down independantly.

> (5) Sadly I can't find out anything for 194.54.112.30/FLUETANO.

Why would you want to? It's probably just a nameserver for some domain hosted
by "Bergen Nett og Media AS", in Bergen, Norway.

DNS is a complicated subject. If you don't understand it, it's best to just use
the DNS server addresses supplied to you by your ISP. If you must use a local
caching nameserver (and if you have multiple machines that are active most of
the time using some form of NAT or internet connection sharing, this is actually
a good thing, similarly if your ISP's DNS servers are goofy or slow), they
should 'play nice' and use your ISP DNS servers.

So the question is, Why did you download Treewalk DNS? Are NTL's DNS servers
completely zarked? (Stupid question, they belong to NTL..) You should probably
be using 194.168.4.100 and 194.168.8.100 from an NTL cable connection

> So the question is, Why did you download Treewalk DNS? Are NTL's DNS servers
> completely zarked? (Stupid question, they belong to NTL..)

I`ve heard it mentioned previously (on here as well I think !) that it
can help work around NTLs DNS servers being sh*te...

--
Please add the word "newsgroup" in the subject line of personal emails
**** My email address includes "ngspamtrap" and "@btinternet.com" ****

Alix wrote on Fri, 09 Dec 2005 10:16:15 GMT:

> BACKGROUND
>
> I am on NTL with no other PCs or printers attached. I use
> FILSECLAB's personal firewall.
>
> I downloaded and installed "TreeWalk DNS" a week ago on my XP Pro
> system. As I am in Europe I also installed the "ORSC Slave-Root"
> package. I have to say I am not particularly familiar with the
> technical details of DNS lookups.
>
> OBSERVATIONS
>
> Today I booted up. Before I manually launched anything I saw the
> following entries shown below in my firewall monitor.
>
> These entries have worried me because for the last week my PC has
> been hesitating for several seconds before connecting to servers such
> as (http://www.google.com or an NNTP news servrer) for the first
> time. Subsequent connections seems as fast as usual.

[snipped the rest]

You've installed a DNS server, and you're seeing the effects of having done
do. NAMED (the DNS process) running at boot is completely normal, as it's
installed as a service (that might give you a clue where to look to disable
it if you want). It's connecting to multiple IPs on port 53 to do DNS
lookups in response to what you're doing on your PC - web browsing, news
reading, etc. DNS lookups are a bit slower because you're resolving direct
to the root servers yourself, rather than letting a dedicated DNS server do
it which might have already cached the information you need for popular
sites. Those hosts you're seeing with port 53 open are due to them being
authoritative DNS servers for domains you are trying to connect to,
including a couple of Top Level Domain servers.

I'd advise you to remove Treewalk. I'd also advise not running your own DNS
server unless you know what you're doing. I've been running DNS servers here
at work for 11 years, and I'd never bother installing one on my home PC.

Dan

On Mon 12 Dec 2005 09:54:37, Spack <(E-Mail Removed)>
wrote:

> [snipped the rest]
>
> You've installed a DNS server, and you're seeing the effects of
> having done do. NAMED (the DNS process) running at boot is
> completely normal, as it's installed as a service (that might
> give you a clue where to look to disable it if you want). It's
> connecting to multiple IPs on port 53 to do DNS lookups in
> response to what you're doing on your PC - web browsing, news
> reading, etc. DNS lookups are a bit slower because you're
> resolving direct to the root servers yourself, rather than
> letting a dedicated DNS server do it which might have already
> cached the information you need for popular sites. Those hosts
> you're seeing with port 53 open are due to them being
> authoritative DNS servers for domains you are trying to connect
> to, including a couple of Top Level Domain servers.
>
> I'd advise you to remove Treewalk. I'd also advise not running
> your own DNS server unless you know what you're doing. I've been
> running DNS servers here at work for 11 years, and I'd never
> bother installing one on my home PC.

Thanks for the info mate.