cancel
Showing results for 
Search instead for 
Did you mean: 

DG834 logging DNS UDP packets

N/A

DG834 logging DNS UDP packets

My OS is Win XP, with SP1 & SP2, plus all Win updates. The problem is that, although my primary & secondary DNS servers are recognised by my router as being such (in Basic Settings, Router Status and Diagnostics pages), UDP packets that they send to my router are listed in the log as port scans.

I've tried re-booting (switching it off & from Diagnostics page), and re-setting to factory settings. I upgraded my firmware from v 1.04 to v1.05, again without success. Although it probably doesn't affect things, my DNS Servers are in ZA Pro's Trusted zone. I am pretty sure that the servers are listed in Windows, but I'll have to check that when I get home from work.

Other potential clues about the problem: I have set up services on ports 5190, 5566 (Shields Up tagged them as open) and 40000-40099 (were closed rather than stealthed), so as to stealth them. I switch the router off after every usage. My ADSL firmware version reads as 1.00.09.00 (I thought that when I had 1.04 firmware, the ADSL firmware was 1.01.00),

I'd be grateful for any ideas. Thanks a million
21 REPLIES
Community Veteran
Posts: 14,469
Registered: 30-07-2007

DG834 logging DNS UDP packets

The DNS UDP packets are just stray or delayed replies to DNS lookups your systems have sent out and they are nothing to worry about.

What tends to happen is this:

- One of your PCs sends out a DNS request, this creatres a connection session through your router to the destination DNS server and it's through this connection session that the router expects the remote DNS server will send it's reply.
- No reply is received within a time linit so the request is sent out again. This may either involve a new session connection being created (meaning the old one is closed) or it uses the same session connection.
- A DNS reply is received on a valid connection session so this is passed to the requesting system and and the connection session closed on the router.
- Another DNS reply is received (which was the original reply to the first or second DNS request sent out) due to a delay somewhere.
- The router sees this, checks the session connection it arrived on, see's it is no longet open, so it records it in the firewall log as an invalid DNS packet (a port scan).
N/A

DG834 logging DNS UDP packets

There has been a rollback on the DSL firmware with the latest "full firmware" 1.05. This was to overcome a problem with DSL sync on some BT system routers causing connection drops.

DNS UDP packets are as Peter explains.

Still suprised you got open ports on the Shields Up. Mine was all stealthed with default settings as was two others I have set up for people. Do you have UPnP enabled Huh
Have you tried http://www.auditmypc.com/freescan/scanoptions.asp
N/A

DG834 logging DNS UDP packets

Thanks to petervaughan for the succinct explanation. I'll stop fretting now Smiley.

Hi, cqg4uzg - nope, I disabled UPNP quite a while back. I only had two ports open after upgrade, and restoring factory settings: 5190 was to do with AOL, & 5566 associated with 'udpplus,' whatever that is (boring bit: I've modified a 'work-around' that I think Peter suggested on these forums to me; instead of forwarding to a black hole IP on my LAN, I'm mimicking the default inbound services rule, & blocking all packets, & the ports are stealthed).

Yep - I knew about 'auditmypc.' It's interesting that you raise that, though - one port scanning site gave me a full pass to indicate that all ports were 'closed,' whereas my random selection of ports 40000-40063 for Shields Up!'s Custom Port Probe gave me the more helpful 'Fail- ports blocked' result.

I'd be interested in the results you and other DG834 users get for ports 40000-40099 on Shields Up's Custom Port Probe, cqg4uzg.
N/A

DG834 logging DNS UDP packets

Well, I'll eat my hat.
It's been a while since I have done a full port scan at GRC, simply becuase it takes too long to go through all 65535 ports by typing in 64 port sequences.

Anyway, when I did it before back in late 2003, 40000 to 40099 gave a stealthed report, now I get a closed report.

However , it shows I have another problem, a completely unrelated port is now open. Nothing shows on Adaware, Spybot, Trojan Killer & Virusscan. I must put it down to a programme I installed ( and then removed) which came infested with things like "bargain buddy" and "supershopper". I thought I had got rid of it all, but obviously not.
A bit of detective work is now required.
N/A

DG834 logging DNS UDP packets

cqg4uzg - do you think that it might be worth setting up a new thread asking if other DG834 users get similar results?

I have to admit that I was intrigued that I had two ports open, putting the AOL one down to my wife possibly inserting her AOL trial CDs (I throw them out, but she always retrieves them!) in the PC when I was out.

I've no idea at all as to what might have opened the 'udpplus' one.
N/A

DG834 logging DNS UDP packets

I'm still investigating, but I am sure other will drop in their comments on open ports. I'm going to see one of those I installed next week to see if taht has the same problem.
N/A

DG834 logging DNS UDP packets

Well, here is a good one. I thought the change in port status may be down to the upgrade in firmware to allow it to work with MSN (and other messengers) with sound.
So, I went to downgrade back to firmware 1.03..... fatal, it locked while attempting it and now will not even recover with the recovery utility (does not find unit number and current firmware number). Oh hum. Looks like the firmware is fully clapped.

Currently using an old conexant modem., which shows the offending ports as closed, while the DG834 with firmware 1.05 showed 1864, 5566 and 5190 as open ?Huh
N/A

DG834 logging DNS UDP packets

I have the same router and my ports come up as closed as well. Closed doesn't pose any danger but it does mean your not 100% hidden.

Would adding a rule to block those ports make any difference?
N/A

DG834 logging DNS UDP packets

Well, with firmware 1.05, ports 1864, 5566 and 5190 were showing as OPEN.
There is nothing on the PC opening these ports, especially when UPnP is turned off.
I am sure these were stealthed with 1.03 an 1.04.01 firmware.
Unfortunatly, I cannot test this as the router is now completely unresponsive after trying to downgrade to 1.03 to test the theory.
N/A

DG834 logging DNS UDP packets

I've added rules into my firewall for all of the above ports and now have a stealth status on all the ports previously detailed. Cheesy

Aaron
N/A

DG834 logging DNS UDP packets

Oh and Add Port 4443 which is listed as Open :shock:
N/A

DG834 logging DNS UDP packets

OK, here is the gen on the open/closed/stealthed ports and firmware version

Firmware version 1.03 appears to have all ports stealthed. Non I could find were open. 40000 to 40099 were stealthed as were 1864, 4443, 5190 and 5566

Firmware 1.04.01 is the culprit. Ports 1864, 5190, 5566 are now open. I can only assume this is the work around Netgear have done to allow voice with AOL, Yahoo, MSN messenger and others. Ports 40000 to 40099 are now blocked and not stealthed.

Firmware 1.05 has no difference in port status than 1.04.01. However, I have not done a full scan and Netgear state that 1.05 fixed a Netmeeting voice support issue. This may mean that they have opened another port somewhere that I have not found yet.
This may be 4443, as I did not check this on 1.04.01

gadgetboy, what firmware are you on ?Huh
N/A

DG834 logging DNS UDP packets

cqg4uzg - this may well explain the anomaly that I had after I installed firmware v. 1.04, & which I posted about in these forums. Shields Up! showed me as having ports 1024-1030, 1720 & 5000 blocked, a source of puzzlement to everyone who commented on it.

I'll check my port 1864 now. Glad that progress has been made with this. Well done for getting a response out of Netgear support - I sent them an e-mail 2-3 months ago, and the words 'deafening' and 'silence' magically came together..... :lol:
N/A

DG834 logging DNS UDP packets

Hi,

I'm on the latest version of firmware 1.05.00. I scanned all my ports on the AuditMyPc Site, and found all the ports you mentioned and 4443 as well.

I've since created additional blocking rules and re-tested the ports, I'm happy to say they are all stealthed now. Cheesy

Aaron