cancel
Showing results for 
Search instead for 
Did you mean: 

PN DNS accesses blocked by ZoneAlarm

Community Veteran
Posts: 1,229
Thanks: 1
Registered: 30-07-2007

PN DNS accesses blocked by ZoneAlarm

Since I changed from using a USB modem to a modem/router with a NAT firewall, my ZA sw firewall hardly ever logs anything ... however this pm it blocked these incoming from PN DNS servers :
Quote
212.159.6.9:53, 192.168.1.10:4602,
212.159.6.9:53, 192.168.1.10:4614,
212.159.6.10:53, 192.168.1.10:4622

The entries for these from the router's firewall log look no different from any others, so it seems a bit "random" ...
Anyone got any ideas or come across this sort of thing before?
4 REPLIES
Community Veteran
Posts: 14,469
Registered: 30-07-2007

PN DNS accesses blocked by ZoneAlarm

They are just late responses to DNS lookups your system has sent out.

- PC sends out a DNS request via UDP
- Firewall passes it through to PN DNS servers
- DNS reply is delayed
- Firewall has an internal timer which goes off and closes the connection session (its a bit more complex but basically that is what it does)
- PN DNS server send back a late reply (or the reply got delayed between PN and you)
- As the firewall has closed the connection it thinks this is a scan/probe/unsolicited packet which it blocks and reports in the log.

This is nothing to worry about. If you want the logging stopped, just add the 4 PN DNS servers to your trusted zone (212.159.13.49, 13.50, 6.9, 6.10)
Community Veteran
Posts: 1,229
Thanks: 1
Registered: 30-07-2007

PN DNS accesses blocked by ZoneAlarm

thanks Peter that's really clear. I didn't think it was of concern but didn't l know enough to know why.
Quote
Firewall has an internal timer which goes off and closes the connection session (its a bit more complex but basically that is what it does)

I'd be quite interested to know more about the complexity ... I'm guessing that ZA maintains some sort of table in which it logs outgoing packet ids/timestamps, and does a compare on incoming? And the router has a more sophisticated way of ascertaining what it's OK to allow thru than ZA does?
(If this is too complicated to respond here can you point me at a resource where I can find out?)
Community Veteran
Posts: 14,469
Registered: 30-07-2007

PN DNS accesses blocked by ZoneAlarm

You have pretty much understood what happens but here is a bit more detail..

First you need to understand the two types of connection generally used: TCP & UDP.

TCP is classed as a connection orientated protocol. Before any data can be sent, a connection is opened with the destination IP address and remains open until either end closes it. All data is then sent and confirmed by the other end as being received. ZA knows this so will keep the connection open for however long is necessary - in other words, ZA does not control the connection.

UDP is classed as connectionless protocol. The UDP packet (the DNS lookup in your case) is sent to the destination as an unsolicited data packet without first establishing a connection to it like TCP does. The PN DNS servers are listening for UDP packets on port 53 so when it sees one it reads it and acts on it. As such there is no open connection on which the reply can be received as the reply is also send as an unsolicited UDP packet. However, the reply UDP packet contains information that links it with the original DNS request so when ZA receives it, it knows it is a reply to a UDP packet and allows it through.

Now, one of the things ZA was bought/downloaded for is to act as a firewall which means blocking packets / port scans etc on connections that did not originate from your PC. With TCP connections, this is fine because a connection is established first and remains open so any data packets from either direction are allowed through. BUT, because UDP packets don't first establish a connection, by their very nature, ZA would always block the DNS reply UDP packet because ZA will think it is unsolicited and thus should be blocked. To get around this situation, ZA remembers details about the outgoing DNS UDP packet and sets a timer within which any reply UDP packets that has similar identifiable details to the outgoing one will be allowed through. Thus a DNS request will normally get the reply sent from PN unless it is very late and arrives after the internal timer has expired.

I hope you understood that which is still a simplistic explaination of what is actually going on 'under the hood'.
Community Veteran
Posts: 1,229
Thanks: 1
Registered: 30-07-2007

PN DNS accesses blocked by ZoneAlarm

No again thats clear and helpful so thanks.
Once upon a time i did computers for a living (But that was in another county: And besides the protocol (X.400) is dead) so I can handle a bit of complexity, though I have forgotten just about all of what I once knew about low-level stuff ...