What is the purpose of 127.0.0.1 as DNS server?

I am on XP and attach via cable.

In my network connection icon, I used to have the two DNS server address
es as xxx.yyy.4.100 and xxx.yyy.8.100.

Since then some application has set the first of those DNS entries to
127.0.0.1.

What is the prupose of this?

Should I change it back to the original value?

In comp.protocols.tcp-ip Mister C <(E-Mail Removed)> wrote:
> Since then some application has set the first of those DNS entries to
> 127.0.0.1.

> What is the prupose of this?

Typically, when one sees "127.0.0.1" in the list of DNS servers it
suggests that one is running a local, caching-only name server.

Again typically, a local, caching-only name server is intended to
"speed-up" repeated, duplicate queries.

In the case of running a caching-only name server, this "speed-up" is
likely only in the sense of wall-clock time and may not be in the
sense of overall capacity as it likely the sum of the cycles to send
to the local name server and its cycles to lookup the RR is greater
than simply sending the queries to a set of remote nameservers.
Assuming of course one can generate sufficient parallelism and if one
ignores the load on the remote nameservers

> Should I change it back to the original value?

Does the application which set the first to 127.0.0.1 also cause a
local name server to run and does said application make lots of DNS
queries?

rick jones
--
oxymoron n, Hummer H2 with California Save Our Coasts and Oceans plates
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

In article <oo5fg.1264$(E-Mail Removed)>,
Rick Jones <(E-Mail Removed)> wrote:

> In comp.protocols.tcp-ip Mister C <(E-Mail Removed)> wrote:
> > Since then some application has set the first of those DNS entries to
> > 127.0.0.1.
>
> > What is the prupose of this?
>
> Typically, when one sees "127.0.0.1" in the list of DNS servers it
> suggests that one is running a local, caching-only name server.
>
> Again typically, a local, caching-only name server is intended to
> "speed-up" repeated, duplicate queries.
>
> In the case of running a caching-only name server, this "speed-up" is
> likely only in the sense of wall-clock time and may not be in the
> sense of overall capacity as it likely the sum of the cycles to send
> to the local name server and its cycles to lookup the RR is greater
> than simply sending the queries to a set of remote nameservers.
> Assuming of course one can generate sufficient parallelism and if one
> ignores the load on the remote nameservers
>
> > Should I change it back to the original value?
>
> Does the application which set the first to 127.0.0.1 also cause a
> local name server to run and does said application make lots of DNS
> queries?

I'll bet it's some kind of ad-blocker. A common way to perform this is
by intercepting DNS lookups for the advertiser site name.

--
Barry Margolin, (E-Mail Removed)
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

On 31 May 2006, Barry Margolin<(E-Mail Removed)> wrote:

>
> In article <oo5fg.1264$(E-Mail Removed)>,
> Rick Jones <(E-Mail Removed)> wrote:
>
>> In comp.protocols.tcp-ip Mister C <(E-Mail Removed)> wrote:
>> > Since then some application has set the first of those DNS
>> > entries to 127.0.0.1.
>>
>> > What is the prupose of this?
>>
>> Typically, when one sees "127.0.0.1" in the list of DNS servers it
>> suggests that one is running a local, caching-only name server.
>>
>> Again typically, a local, caching-only name server is intended to
>> "speed-up" repeated, duplicate queries.
>>
>> In the case of running a caching-only name server, this "speed-up"
>> is likely only in the sense of wall-clock time and may not be in
>> the sense of overall capacity as it likely the sum of the cycles
>> to send to the local name server and its cycles to lookup the RR
>> is greater than simply sending the queries to a set of remote
>> nameservers. Assuming of course one can generate sufficient
>> parallelism and if one ignores the load on the remote nameservers
>>
>>
>> > Should I change it back to the original value?
>>
>> Does the application which set the first to 127.0.0.1 also cause a
>> local name server to run and does said application make lots of
>> DNS queries?
>
> I'll bet it's some kind of ad-blocker. A common way to perform
> this is by intercepting DNS lookups for the advertiser site name.


I used to run the DNS server, Treewalk. I took it out although it was a
bit messy to uninstall it. Maybe there are some remnants I should
remove by hand?

I also run Avast antivirus and Sygate firewall.
I get the following output on a netstat.
Seems like a lot of strange stuff there.
Are those 0.0.0.0 entries a possible source of worry?
Is the 127.0.0.1 as expected?

-----------------

C:\Documents and Settings\MisterC>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:7 0.0.0.0:0 LISTENING
TCP 0.0.0.0:9 0.0.0.0:0 LISTENING
TCP 0.0.0.0:13 0.0.0.0:0 LISTENING
TCP 0.0.0.0:17 0.0.0.0:0 LISTENING
TCP 0.0.0.0:19 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
UDP 0.0.0.0:7 *:*
UDP 0.0.0.0:9 *:*
UDP 0.0.0.0:13 *:*
UDP 0.0.0.0:17 *:*
UDP 0.0.0.0:19 *:*
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1025 *:*
UDP 0.0.0.0:1026 *:*
UDP 0.0.0.0:1028 *:*
UDP 0.0.0.0:1602 *:*
UDP 0.0.0.0:1604 *:*
UDP 0.0.0.0:4500 *:*
UDP 127.0.0.1:1027 *:*

------------ END

Mister C wrote:
> I also run Avast antivirus and Sygate firewall.
> I get the following output on a netstat.
> Seems like a lot of strange stuff there.
> Are those 0.0.0.0 entries a possible source of worry?

No. It just means that the system is willing to accept connections to those
ports from anywhere. (Note that UDP ports do not 'listen', because UDP is a
connectionless protocol)

Port 7 is echo; anything sent to the port is sent straight back. Not usually open.
Port 9 is discard; anything sent to port 9 is dropped, used mainly for
debugging network services, or as a firewall port redirection target to keep the
hackers busy talking to a wall. Not usually open.
Port 13 is daytime; Connecting to the port should return an ascii date and
time. Usually opened by NTP servers.
Port 17 is qotd (Quote of the day). Seems unusual to be listening on that.
Port 19 is chargen. Connecting to that port generates heaps of ascii data, used
mainly for debugging network services
Port 445 is microsoft-ds; This is related to file and printer sharing.
Port 500 is isakmp (Internet Key Exchange (UDP only)). Usually opened by
LSASS.EXE (Presumably this is normal)
The remaining high numbered ports are likely to be ports created by some
application or other and could be incoming or outgoing connections.

> Is the 127.0.0.1 as expected?

If you have 127.0.0.1 in your DNS server settings, it is probably something like
explorer trying to resolve a name. As there is nothing listening on port 53
there is nothing on the end of that port.

http://www.sysinternals.com/Utilities/TcpView.html is a tool that will identify
(on NT/2K/XP) the process associated with a port.

Quite why you have ports 7,9,13,17,19 open, I don't know. These are usually
associated with various BSD-derived versions of inetd, which does not typically
run on a windows system. What process has them open (follow the link above)

It is possible that these ports have been opened by your security software as a
decoy or trap of some kind. What does TcpView show?

"Mister C" <(E-Mail Removed)> wrote in message
news:Xns97D43AA317A501A4D@127.0.0.1...
>I am on XP and attach via cable.
>
> In my network connection icon, I used to have the two DNS server address
> es as xxx.yyy.4.100 and xxx.yyy.8.100.
>
> Since then some application has set the first of those DNS entries to
> 127.0.0.1.
>
> What is the prupose of this?
>
> Should I change it back to the original value?
>

just set it to auto ?
unless your provider is crap, it should be fine

"Mister C" <(E-Mail Removed)> wrote in message
news:Xns97D43AA317A501A4D@127.0.0.1...
>I am on XP and attach via cable.
>
> In my network connection icon, I used to have the two DNS server address
> es as xxx.yyy.4.100 and xxx.yyy.8.100.
>
> Since then some application has set the first of those DNS entries to
> 127.0.0.1.
>
> What is the prupose of this?
>
> Should I change it back to the original value?
>

127.0.0.1 refers to your local machine AKA Localhost, sometimes due
antivirus scanners, mailwasher, Internet server type applications....

On 31 May 2006, Jim Howes<(E-Mail Removed)>
wrote:

> If you have 127.0.0.1 in your DNS server settings, it is probably
> something like explorer trying to resolve a name. As there is
> nothing listening on port 53 there is nothing on the end of that
> port.
>
> http://www.sysinternals.com/Utilities/TcpView.html is a tool that
> will identify (on NT/2K/XP) the process associated with a port.
>
> Quite why you have ports 7,9,13,17,19 open, I don't know. These
> are usually associated with various BSD-derived versions of inetd,
> which does not typically run on a windows system. What process has
> them open (follow the link above)
>
> It is possible that these ports have been opened by your security
> software as a decoy or trap of some kind. What does TcpView show?

Thank you for a very useful commentary on the ports I showed in my
posting.

TcpView shows that C:\WINDOWS\System32\tcpsvcs.exe is assigned to these
ports. It has a UDP and a TCP line for each of the ports 7,9,13,17,19.

BTW I notice I have got Network Monitor Driver in my broadband
connectoid icon in the "Network" folder. I don't know if this is
relevant.

I found this with Google
http://www.wilderssecurity.com/showthread.php?t=116568

http://process.networktechs.com/tcpsvcs.exe.php says
"tcpsvcs.exe is an essential service for Windows systems using the
TCP/IP protocol"

But the posts at this place found that it can burn cpu on bootup and I
found this too although it seemed to stop a fert a feww reboots.
http://www.neuber.com/taskmanager/pr...psvcs.exe.html