Author Topic: Avast connecting to port 53  (Read 508 times)

0 Members and 1 Guest are viewing this topic.

Offline slay3r_9903

  • Newbie
  • *
  • Posts: 1
Avast connecting to port 53
« on: February 11, 2020, 03:43:59 AM »
For some time, I had a computer connecting to the following IPs:
5.45.62.92
181.41.213.131
179.61.195.50
69.64.57.69
and my IPS system has been flagging them as non-compliant DNS traffic. The IPs are located in Chile, Brazil, and the  CZECH REPUBLIC.

Can some light please be shed on the purpose of this? For the time being, i blocked any and all traffic to and from these IPs.

Threat Management Alert 1: Potential Corporate Privacy Violation. Signature ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set. From: X.X.X.X:50525, to: 5.45.62.92:53, protocol: UDP   8:18 pm   02/10/2020   
Threat Management Alert 1: Potential Corporate Privacy Violation. Signature ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set. From: X.X.X.X:50523, to: 181.41.213.131:53, protocol: UDP   8:18 pm   02/10/2020   
Threat Management Alert 1: Potential Corporate Privacy Violation. Signature ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set. From: X.X.X.X:50520, to: 179.61.195.50:53, protocol: UDP   8:18 pm   02/10/2020   
Threat Management Alert 1: Potential Corporate Privacy Violation. Signature ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set. From: X.X.X.X:53725, to: 69.64.57.69:53, protocol: UDP   8:17 pm   02/10/2020   
Threat Management Alert 1: Potential Corporate Privacy Violation. Signature ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set. From: X.X.X.X:53725, to: 69.64.57.69:53, protocol: UDP   8:17 pm   02/10/2020   

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2775
  • Volunteer
Re: Avast connecting to port 53
« Reply #1 on: February 11, 2020, 03:23:16 PM »
Are you part of the IT Department or an End-User? If the latter, you need to go see your IT Department.
If the former, you should be posting here: https://forum.avast.com/index.php?board=77.0

However, to answer your question, Port 53 is DNS.

XFE Report (5.45.62.92): https://exchange.xforce.ibmcloud.com/ip/5.45.62.92 << AVAST
XFE Report (181.41.213.131): https://exchange.xforce.ibmcloud.com/ip/181.41.213.131 << LACNIC
XFE Report (179.61.195.50): https://exchange.xforce.ibmcloud.com/ip/179.61.195.50 << LACNIC
XFE Report (69.64.57.69): https://exchange.xforce.ibmcloud.com/ip/69.64.57.69 << GoDaddy

Any of your logs show connections to *.dedicatedpanel.com?

From the last IP on a Passive DNS Scan: https://exchange.xforce.ibmcloud.com/url/dedicatedpanel.com
LACNIC Information: https://www.lacnic.net/

*Volunteer*.
Tier I SOC Analyst; Threat Hunter; Digital Forensics (no cert); HTB Competitor; Pentester (no cert).

4th Year BCS Student.

Offline r@vast

  • Avast team
  • Poster
  • *
  • Posts: 439
Re: Avast connecting to port 53
« Reply #2 on: February 13, 2020, 01:56:35 PM »
For some time, I had a computer connecting to the following IPs:
5.45.62.92
181.41.213.131
179.61.195.50
69.64.57.69
and my IPS system has been flagging them as non-compliant DNS traffic. The IPs are located in Chile, Brazil, and the  CZECH REPUBLIC.

Can some light please be shed on the purpose of this? For the time being, i blocked any and all traffic to and from these IPs.

Threat Management Alert 1: Potential Corporate Privacy Violation. Signature ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set. From: X.X.X.X:50525, to: 5.45.62.92:53, protocol: UDP   8:18 pm   02/10/2020   
Threat Management Alert 1: Potential Corporate Privacy Violation. Signature ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set. From: X.X.X.X:50523, to: 181.41.213.131:53, protocol: UDP   8:18 pm   02/10/2020   
Threat Management Alert 1: Potential Corporate Privacy Violation. Signature ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set. From: X.X.X.X:50520, to: 179.61.195.50:53, protocol: UDP   8:18 pm   02/10/2020   
Threat Management Alert 1: Potential Corporate Privacy Violation. Signature ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set. From: X.X.X.X:53725, to: 69.64.57.69:53, protocol: UDP   8:17 pm   02/10/2020   
Threat Management Alert 1: Potential Corporate Privacy Violation. Signature ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set. From: X.X.X.X:53725, to: 69.64.57.69:53, protocol: UDP   8:17 pm   02/10/2020

Hi,

These are all securedns servers, we do communicate with them over udp53, however, the traffic is encrypted hence it might be flagged as not regular DNS (correctly).
Also explained here: https://forum.avast.com/index.php?topic=184959.msg1305970#msg1305970