cancel
Showing results for 
Search instead for 
Did you mean: 

DNS Spoof

N/A

DNS Spoof

Hi
My firewall logs:

Quote
Date: 04/02 17:23:31 Name: DNS SPOOF query response with ttl: 1 min. and no authority
Priority: 2 Type: Potentially Bad Traffic
IP info: 212.159.13.49:53 -> 212.159.xxx.xxx:32770
References: none found


I have so many of these attacks everyday. The only way to rid of these dns spoof is by changing dns server to another ISP dns. I dont have any problem yet with my connection because I have a fairly secure firewall running blocking and logging those attacks but I know there are a lot of people out there who are on plusnet broadband connected without using any firewall at all.
The question is, why these attacks only occurs with plusnet dns IPs and not with other ISPs dns servers? Do plusnet implement any security measures at their end?
Anyone has any idea?

cheers
9 REPLIES
Community Veteran
Posts: 14,469
Registered: 30-07-2007

DNS Spoof

Hi Safie,

First this is not a spoof or an attack and your system is also not being scanned or any attempt to 'break in' to it.

The problem is cause by the DNS server 212.159.13.49 which has been having problems over the past 2 or 3 days with slow or no response to lookup requests. What is happening is your system is sending a DNS lookup request to .49 but because the DNS server takes a long time to reply sometimes, the firewall thinks the original connection has lapsed (timed out becausr the reply was not quick enough) and has already closed the connection. So when .49 does finally reply several seconds later the firewall thinks it's an incoming attack when in fact it's just a late delivered reply to the original DNS request your system sent out.

Some work has been done to correct the problems on .49 but there still appears to be times when it slows down and it's during this period that you may get these messages.

One solution is to manually set the PlusNet DNS server IPs so 212.159.13.50 is the primary DNS server and .49 is the secondary because .50 has never had a problem recently. This can either be done in your external router or within windows itself.

Cheers

Peter Cool
N/A

DNS Spoof

hi peter
Thanks for the reply. Ok now I have manually change tthe primary dns server IP as you suggested but i still got these DNS SPOOF; its on .50 IP now :?

Quote
Date: 04/02 18:03:41 Name: DNS SPOOF query response with ttl: 1 min. and no authority
Priority: 2 Type: Potentially Bad Traffic
IP info: 212.159.13.50:53 -> 212.159.xxx.xxx:32770
References: none found


So, is there a problem on both of plusnet dns servers? I got these since the last few weeks not last couple of days ago. I had change to pipex dns servers and the problem went away. Change back to plusnet dns servers the problem appears. When will plusnet sort out their dns servers?

cheers
Community Veteran
Posts: 14,469
Registered: 30-07-2007

DNS Spoof

What firewall software are you running - i.e what is producing these errors or is this from your router logs?

You could try adding the 2 DNS IP addresses to your allowed or trusted zone in your firewall config which may stop the messages occuring but you should not be getting many if at all from .50 which suggests there may be a conflict of setup issue somewhere.

As far as I know the 2 DNS servers are working fine and responding well to lookups..
N/A

DNS Spoof

I am running smoothwall express firewall. I have now change the dns server to another plusnet dns server (primary 212.159.11.150 secondary 212.159.13.150)

The problem now seems to have gone .. but the web pages doesnt seem to load any faster than before.

cheers
N/A

DNS Spoof

Just a thought, are you DSL or dial-up ??
DNS IP's giving you the error is supposed to be for DSL, while those not giving problem are for dial-up.
Community Veteran
Posts: 14,469
Registered: 30-07-2007

DNS Spoof

I would have expected the correct ones to be allocated whichever methiod is used to connect to the net. Or maybe the firewall has them configured manually and the wrong ones are being used if it's dialup.
N/A

DNS Spoof

I am on 512k adsl. As far as I know there are no problem with firewall configuration. Like I said earlier if I enter another ISP dns manually it gave me no dns spoof alert, it only happen with plusnet dns. Saying that I would prefer to use plusnet dns since it is my internet service provider.

If I configure firewall to obtain dns automatically.,it will pick up .49 and .50 as primary and secondary respectively. If I configure it to obtain dns manually then I can put any dns servers I choose.

cheers
Community Veteran
Posts: 14,469
Registered: 30-07-2007

DNS Spoof

This could be indicating .49 & .50 may still have a problem but what it is I have no idea. The logs are delays in receiving the DNS query reply (at least that Is what I am assuming) yet they are responding in <0.02 seconds for me.

Not sure what PlusNet can do as you are using a non-standard (to the majority of us) firewall system.
N/A

DNS Spoof

Looks like I have to stop using .49 and .50 for a while until plusnet get it sorted (if ever). I heard this dns issue has been a problem with plusnet for quite a while now.

As for firewall, I used to use zonealarm pro but in my opinion smoothwall is more robust and secure. It is build on old pentium machine running linux based firewall which acts as a router and firewall for my little home network.

Thanks for help