NEED SOME HELP?

All TalkTalk router firmware is idedependently tested by a security company before realease. Although there is the bug in it as I keep saying, there is no reason for you to use anything other than a firewall level of Medium, which does everything it is supposed to do. You have proved its protection via grc.com.

What is the difference between a permanent port forwarding rule & a temporary one, surely you don't need that explaining?

Hi @Billx 

I see that @Michelle-TalkTalk has confirmed exactly what I have been trying to say for some time. The DNS entries are totally down to your devices. However, as I said there is the bug of their severity level being wrongly classified as Error when it should be Info. If this is fixed & a Save to PC button for the system log is added, then I can take things further.

Shields Up

There was no need to open all of the ports on the router's firewall at all. However, it did prove that even with them open, your PC was not detectable from the outside world. Please totally reset the firewall & put the firewall level back to Medium. I don't think you have any need for a level of Custom at all, although, as per my previous paragraph on the DNS entries, I have raised this as a bug because the custom rules have no effect. What is protecting your PC I will deal with further down this post.

DNS Query Sniffer

I have just tried the domain safebrowsing.googleapis.com and it resolves OK to 172.217.169.42. For some reason on your PC, it resolved OK once then there was no answer the next time. This is nothing to worry about.

What is protecting your PC

I have told you this before, but I will go into more detail now. Whether or not you are confused over the router's firewall, you are I would think you do not realise how much protection you have when your PC is connected to the router. Your PC is allocated an IP address from the router (most likely 192.168.1.X). This is a private IP address, unlike your router's WAN IP address which is a public one. It is impossible for anything on the internet to route an IP packet to a private IP address, they can only connect to public ones, like your router's public address. So they cannot connect to your PC even with the router's firewall on Medium.

There are only a few ways for the internet to connect to your PC and you, or malware etc have to allow them in. These are:-

1. Putting your PC in the router's DMZ - this makes your PC very vulnerable.
2. Configuring a Port Forwarding rule to allow certain TCP or UDP ports through from the router to the PC - you would only do this for very specialised circumstances, maybe to allow remote viewing of CCTV etc).
3. UPnP - this is a way that an application (and particularly malware) to create a temporary port forwarding rule. 

Always disable UPnP and WPS they are both very insecure.

Then in the case of your PC, there is one other very big protection - the PC's own firewall in the form of Windows Defender.

Morning,

The team have looked into these errors (in your first post) and advised that this is not an issue. They have advised that the device/applications in the home are trying to connect to domains that no longer exist. The error log is just saying that some device tried to connect to these domains, but these domains weren’t found in TalkTalk’s DNS. We can only assume that these domains did exist at some point previously for some application, but have since been removed.

Thanks

Our latest Blog l Share your Ideas l Service Status l Help with your Service l Community Stars l Set your preferences

You are behind a secure firewall, I explained this right at the very start. The only way that something on the internet can access any of your devices is via the router configuration:-

1. port forwarding
2. port triggering
3. UPnP created port forwarding
4. or a device in the DMZ

Unless of course you "invite" them in via virus or malware etc.

Just keep UPnP & WPS disabled, as they do present serious security vulnerabilities.

The difference between domain names & CNAMES, this can get complex, but here goes.

Your PC's browser wants to go to a website, let's call it mywebsite.com. A DNS query is sent to the DNS server asking for the IP address associated with mywebsite.com (assuming that there is no local record for it in your PC's DNS cache). The DNS server will return a DNS Response packet to the PC and in there will be an Answers field. This may contain just one IP address for the domain mywebsite.com, perhaps 141.142.143.144. If the site has multiple IP addresses associated with this doain record (due to load balancing & redundancy etc it might have say three addresses:-

141.142.143.144

141.142.143.145

158.157.156.154

A CNAME record is totally different this is an alias for the domain. The canonical name (CNAME) record is used in lieu of an A record (IPv4 address), when a domain or subdomain is an alias of another domain. This answer specifies the true domain name. The DNS server will then it will trigger another DNS lookup for the CNAME value and return its IP address:-

old.example.com. CNAME new.example.com.

new.example.com. A 192.162.100.101

Suppose blog.example.com has a CNAME record with a value of ‘example.com’ (without the ‘blog’). This means when a DNS server hits the DNS records for blog.example.com, it actually triggers another DNS lookup to example.com, returning example.com’s IP address via its A record.

In this case, example.com is the canonical name (or true name) of blog.example.com.

Hi @Billx 

Ah, you just mean MAC address filtering, that would block your phone.

The problem is really that without specialist expensive extra hardware you cannot detect all local traffic connected to your router at once. If you had this, then Wireshark would easily (for me I guess) identify which device was generating the potentially rogue DNS queries. The only way that can be done is to DNS Query Sniffer on each supported device, but what is still difficult to find out is which applications on a device may be responsible. Obviously, the browser & email clients could potentially be to blame. Maybe some other networked applications may as well. If it was malware, then who knows where they would be coming from?

I did try to point out in your other thread about the firewall, you don't need the level set to anything more than medium. Try going to the well-respected Gibson Research Corporation's website & running their Shields Up utility. This will check, amongst other things what devices it can see & if any, what ports are open on them. There is every likelihood that as your devices sit behind the router, they may not be detectable by the outside world at all.

I am not sure how you filtered out in the router, but perhaps it is your phone then?

Hi @Billx 

Thinking about the sheer number of these messages (I get about 10 to 15 a day), are you sure that one of your devices is infected with malware or some virus?

It would be easy to prove which device it is, by turning them all off for say 5 mins, then turn them on one at a time. Check the timestamps on the logs to see which one is the culprit.

You could try Nirsoft's DNS Query Sniffer on your Windows PCs, it is pretty simple to understand:-

https://www.nirsoft.net/utils/dns_query_sniffer.htmlhttps://www.nirsoft.net/utils/dns_query_sniffer.... 

Yes I get loads of them.

HI @Billx 

In response:-

1. "Only if it has the lightest severity, right at the top, will you be able skip those entries, and see only the rest"  - that is the general idea, but only if the severity classification bug is fixed. Don't forget it will also filter out any other info classed messages, that might be of use.
2. I don't know what a syslog server is. It is software that can run on a network-connected PC & is a central repository for syslog messages (system log) from the router. It often provides more scope for filtering than just on the severity classification. In a commercial environment, this would collate syslog messages from all routers, managed network switches, APs, gateways & other kit such as IP Telephone systems in one place. In a residential environment, these messages will mainly come from the router, but if there were numerous APs, mesh networks etc, it could be useful. With a mesh network though, these syslog messages from each node would be sent back to the gateway node & only that node would send them to the syslog server. However, most TalkTalk routers, such as the 5363 & 5464 do not have the facility to send their system log messages to a syslog server, so it can be irrelevant. Unless of course we get a "Save to PC" button added to the router, as per my request & then I may adapt the syslog server I wrote to be more of a syslog browser capable of both acting as a normal syslog server and importing a file previously saved from the router, so as that can have the same level of filtering as a a syslog server would.
3. Wireshark. Do you have a very good understanding of the OSI 7 layer model & layer two frames, layaer three packets & layer four segments? If not, then forget Wireshark.