port 53 I have an issue let me explain

Hi. I have disabled DNS service, i put in manually dns server and ip address in my network Ethernet (im on latest windows 10 x64 pro)
And i see much software on my pc tries to connect to port 53 some udp some tcp. If i block it they won't connect to the internet, BUT some software will! Like for an example, steam works fine even if i disable port 53 which it wants to connect to. Smartscreen wants to malwarebytes wants to and my brave browser.

If i disable 53 for brave browser i can't use brave it becomes offline even though i have 443 enabled for it. So as soon as i enable port 53 for it, it works again. I read this can be some kind of attack or use for someone to use for their advantage. My scans come up clean, but this is something else. It can be used to bypass firewall, i read.

"mcglvr says:
Port 53 is also used by people to bypass firewalls. Since this port may be open by default, a program like Fpipe port redirector can use it to communicate with the internet by creating a TCP stream on 53."

Here is some pictures taken from me

Hi,

What kind of Router do you have ? make and model

Restricting DNS operation has to be done at the Gateway level.

Depending on the Class of router you have you may or may not have the facility to force your network to use the DNS you want.

If you have a router that is able to create advanced rules. this is a example of complete DNS segregation

Create an IP list that includes your whole network except your local DNS server (most of the time the router)
Block input TCP / UDP 53 on gateway interface
Block forward TCP / UDP 53 on Local interface for the list created.

Then Configure the DNS you want in Your Router and use your Routers IP as DNS servers.

If you succeed: testing with GRC's | DNS Nameserver Performance Benchmark will reveal if you are correctly blocking public DNS communications. I used two different networks one is restricting DNS the other not.

DNS restricted to local server:



Note that all is working with no problems,
Just that all devices cannot reach any DNS server except mine.

DNS Not Restricted:

Thanks for the reply, how do i do this? Im in my router settings custom firewall settings

Not sure, It depends on the capacity of the router, you have to check your manual to see how the routers handle ip masks and range.

But local ip should be every one on your local network except the router, destination should be all ips, and action should be dropped / block from local.

Then you need to use your router as DNS server and may have to create a rule to authorize communication with your public servers.

What is the model of that router ? unfortunately your little screenshot doesn't provide the adequate info.

sagemcom wifihub l2
model f@st 5359 chwu

- - - Updated - - -

by the way, what do you think of those connections from those software making connection to 53 and if i deny it they wont connect? why is that?

- - - Updated - - -

I found this, but i dont really understand it fully. What is your comment on it?

- - - Updated - - -

is it normal for software on pc to try connecting to 53 over and over when its blocked? why is it even using 53? is that a sign somethings wrong?

- - - Updated - - -

And as i said, malwarebytes or any other antivirus don't find anything. I have 53 blocked for incoming though, is that enough?

Well if the remote address your DNS queries connect to is the DNS server you are using... It's perfectly fine.

Malware would try to connect to unknown DNS servers... And If you where unknowingly participating to a DNS DoS. your logs would show it... And your Web performance too.

From the screenshot you gave, your machine is not spitting DNS outside your network. But if your internet Provider is warning you that it is the case. You need to find which device is actively spamming DNS servers.

A normal Windows Domain controller connects to thousands of DNS Servers and can also have thousands of Open DNS connections simultaneously, at some point we cut that back greatly by modifying Windows DNS Servers parameters.

You may want to analyze the content these packets are containing if you find that, indeed there is some kind of flooding occurring.

But Doing DNS segregation like I mentioned, Gives the absolute certitude that not even a single packet could leave your network without being a legitimate one and directed to the servers you want.

Thus blocking any communications to any other IPs that could be hidden under the DNS protocol.

The problem here as I see it is that you are shutting down random ports without a decent understanding of what the port is actually doing. A good place to start would be the TCP IP Guide (free) if you really want to understand what specific protocols do. I have the book which is somewhat out of date but still covers ~99% of everything out there and it's my bible for stuff like that.

Secondly you need to view your network (as in anything inside your router) as the trusted network and anything outside your router (the internet) as untrusted. It is up to you to ensure that good housekeeping is performed to ensure that malicious programs don't get installed on anything inside the trusted network so having a series of tested backups in more than one location, a decent AV program, backing that up with a second program if you wish (Malwarebytes in my case), no clicking on unknown email links, downloading pirated programs etc. and just generally being careful is a good place to start.

More specifically - programs reaching out on port 53 are not a huge concern as i see it if you know that you have taken decent precautions to keep your network clean. Taking Malwarebytes as an example you have quoted it is highly likely that it is just checking the IP address that it needs to go to so that it can check for updates to the application or new file signatures and nothing more. Other programs will do the same and any internet browser will use it extensively (when you click a new link) so that traffic is to be expected. Also DNS records are only stored for a period of time and then need to be renewed to ensure it is still valid or if the address has been updated hence the constant checks.

Re: the Fpipe redirector - again I don't think you have much to worry about there. That is a common trick if you are exfiltrating data from inside a network as you can assume that something like HTTP (maybe HTTPS) is going to have a less restrictive outbound policy on the firewall so you use the HTTP\HTTPS port instead of whatever port your software of choice should use. However unless you have some seriously interesting stuff that people actually want and can make money from (such as a bank, Gov organisation or hold lots of credit card numbers or other information that can be readily sold) then you are unlikely to feature on anyones radar here. It is far less effort to just encrypt all your data and then charge you X bitcoins for the key to decrypt it rather than scan your PC for one credit card number or similar. It's simple economics basically

As a side note you could run DNS over TLS or DNS over HTTPS enabled - see here for further details - if all of the possible programs that are reaching out support it but YMMV on that front.

Cloudflare has an excellent little article on DNS.

Please Wait... | Cloudflare

Calm Horizons said:

The problem here as I see it is that you are shutting down random ports without a decent understanding of what the port is actually doing. A good place to start would be the TCP IP Guide (free) if you really want to understand what specific protocols do. I have the book which is somewhat out of date but still covers ~99% of everything out there and it's my bible for stuff like that.

Secondly you need to view your network (as in anything inside your router) as the trusted network and anything outside your router (the internet) as untrusted. It is up to you to ensure that good housekeeping is performed to ensure that malicious programs don't get installed on anything inside the trusted network so having a series of tested backups in more than one location, a decent AV program, backing that up with a second program if you wish (Malwarebytes in my case), no clicking on unknown email links, downloading pirated programs etc. and just generally being careful is a good place to start.

More specifically - programs reaching out on port 53 are not a huge concern as i see it if you know that you have taken decent precautions to keep your network clean. Taking Malwarebytes as an example you have quoted it is highly likely that it is just checking the IP address that it needs to go to so that it can check for updates to the application or new file signatures and nothing more. Other programs will do the same and any internet browser will use it extensively (when you click a new link) so that traffic is to be expected. Also DNS records are only stored for a period of time and then need to be renewed to ensure it is still valid or if the address has been updated hence the constant checks.

Re: the Fpipe redirector - again I don't think you have much to worry about there. That is a common trick if you are exfiltrating data from inside a network as you can assume that something like HTTP (maybe HTTPS) is going to have a less restrictive outbound policy on the firewall so you use the HTTP\HTTPS port instead of whatever port your software of choice should use. However unless you have some seriously interesting stuff that people actually want and can make money from (such as a bank, Gov organisation or hold lots of credit card numbers or other information that can be readily sold) then you are unlikely to feature on anyones radar here. It is far less effort to just encrypt all your data and then charge you X bitcoins for the key to decrypt it rather than scan your PC for one credit card number or similar. It's simple economics basically

As a side note you could run DNS over TLS or DNS over HTTPS enabled - see here for further details - if all of the possible programs that are reaching out support it but YMMV on that front.

Thanks. The programs seems to contact dns ip so it seems all good, and its all outbound connections. Im using host file instead of dns over tls. What do you think about using a big blocklist in hostfile?

- - - Updated - - -

MaloK said:

Cloudflare has an excellent little article on DNS.

Please Wait... | Cloudflare

Thanks

- - - Updated - - -

Calm Horizons said:

The problem here as I see it is that you are shutting down random ports without a decent understanding of what the port is actually doing. A good place to start would be the TCP IP Guide (free) if you really want to understand what specific protocols do. I have the book which is somewhat out of date but still covers ~99% of everything out there and it's my bible for stuff like that.

Secondly you need to view your network (as in anything inside your router) as the trusted network and anything outside your router (the internet) as untrusted. It is up to you to ensure that good housekeeping is performed to ensure that malicious programs don't get installed on anything inside the trusted network so having a series of tested backups in more than one location, a decent AV program, backing that up with a second program if you wish (Malwarebytes in my case), no clicking on unknown email links, downloading pirated programs etc. and just generally being careful is a good place to start.

More specifically - programs reaching out on port 53 are not a huge concern as i see it if you know that you have taken decent precautions to keep your network clean. Taking Malwarebytes as an example you have quoted it is highly likely that it is just checking the IP address that it needs to go to so that it can check for updates to the application or new file signatures and nothing more. Other programs will do the same and any internet browser will use it extensively (when you click a new link) so that traffic is to be expected. Also DNS records are only stored for a period of time and then need to be renewed to ensure it is still valid or if the address has been updated hence the constant checks.

Re: the Fpipe redirector - again I don't think you have much to worry about there. That is a common trick if you are exfiltrating data from inside a network as you can assume that something like HTTP (maybe HTTPS) is going to have a less restrictive outbound policy on the firewall so you use the HTTP\HTTPS port instead of whatever port your software of choice should use. However unless you have some seriously interesting stuff that people actually want and can make money from (such as a bank, Gov organisation or hold lots of credit card numbers or other information that can be readily sold) then you are unlikely to feature on anyones radar here. It is far less effort to just encrypt all your data and then charge you X bitcoins for the key to decrypt it rather than scan your PC for one credit card number or similar. It's simple economics basically

As a side note you could run DNS over TLS or DNS over HTTPS enabled - see here for further details - if all of the possible programs that are reaching out support it but YMMV on that front.

"However unless you have some seriously interesting stuff that people actually want and can make money from (such as a bank, Gov organisation or hold lots of credit card numbers or other information that can be readily sold) then you are unlikely to feature on anyones radar here. It is far less effort to just encrypt all your data and then charge you X bitcoins for the key to decrypt it rather than scan your PC for one credit card number or similar. It's simple economics basically"

How about if someone wants to only spy on me, that would be a reason to wouldn't it? The 53 connections outbound i get on for example Zemena is for the update, it fails to contact the update server if i deny 53 for it. So that seems normal