OpenDNS Forums
The official support and discussion site of OpenDNS
Support
K-12 Forums
Categories
- Administrative
- Adult site blocking
- DNS-O-Matic / dynamic IPs
- Domain blocking
- Domain Name System (DNS) troubles
- Mobile instructions
- OpenDNS services
- Proxies, accelerators, and more
- Router instructions
- Satellite
- Shortcuts
- Wishlists and feature requests
-
Feeds
Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.
This discussion has been inactive for longer than 30 days, and is thus closed.
-
Hello everyone @ OpenDNS,
Firstly thanks for first class service as usual!
I have a quick question which I couldn't see the answer to via a bit of googling and a search in the online documentation. When I logged in this morning to my dashboard, I was presented with the light red warning panel that reads:
"Suspicious queries that may be an indication of a malware infection have been detected from your xxx.xxx.xxx.xxx/xx network."
I tried several things but could not find a way to view the queries that has been marked as suspicious? My dashboard says that no requests have been blocked.
One other thing, in the stats section under top domains, I really don't understand what these actually mean, E.G.
1 *.in-addr.arpa Actions 1,997
This domain is unblockable.
2 wpad.internal Actions 1,010
This domain resolved normally. You can block this domain or block similar domains.
3 *.l.google.com Actions 853
This domain resolved normally. You can block this domain or block similar domains.
4 local Actions 213
This domain resolved normally. You can block this domain or block similar domains.
5 static.ak.fbcdn.net Actions 143
This domain resolved normally. You can block this domain or block similar domains.
6 dr._dns-sd._udp.internal Actions 119
This domain resolved normally. You can block this domain or block similar domains.
7 b._dns-sd._udp.internal Actions 119
This domain resolved normally. You can block this domain or block similar domains.
8 db._dns-sd._udp.internal Actions 118
This domain resolved normally. You can block this domain or block similar domains.
9 r._dns-sd._udp.internal Actions 118
This domain resolved normally. You can block this domain or block similar domains.
10 lb._dns-sd._udp.internal
There are some completely understandable domains in the list (e.g. www.facebook.com) which is great, but what are these? Also is it possible to view no just what domains have been requested but full URLs?
Sorry for the silly questions!
Any help and advice would be much appreciated,
Thanks for the great service once again,
Kind Regards,
Will -
Hi Will,
Suspicious Activity = It is suspected that malware (such as Conficker) is running on a computer that is using your Internet Connection.
To view the sites that are seen as bad:
Stats > Blocked Domains
From the Drop Down Menu choose "Only requests that were blocked as malware"
NOTE: You may need to expand the range of dates that are being included so that it will tell you the sites
Also Note: You will need logging enabled in order to see stats.
To do this:
Dashboard > Settings > (Select Network)
On the menu on the Left choose "Stats and Logs"
You can enable logging from there (so that you can find out what the suspicious activity is)
Most of the addresses in the list that you have included are for looking up IP Addresses of websites.
static.ak.fbcdn.net is a Facebook Address, which is kinda important
wpad.internal is a settings thing.
Basically, if you're not sure then you can easily look up addresses in Google (or another search engine) to find the info on them that you're after. -
@willsb
"top domains, I really don't understand what these actually mean"
Here are helpful KB articles: http://www.opendns.com/support/category/144
"Also is it possible to view no just what domains have been requested but full URLs?"
Think about how DNS works. It queries an IP address for a domain name.
http://www.opendns.com/support/article/7
http://www.opendns.com/support/article/9
Any suggestion on how OpenDNS could obtain the URL then? Would you really like they would see your URL history, i.e. tracking your full surfing behavior?
"I tried several things but could not find a way to view the queries that has been marked as suspicious"
@timb_nz delivered a fine description, but here is the direct link:
https://www.opendns.com/dashboard/stats/all/topdomains/2009-09-12to2009-10-10/malware
(You may adapt the date range accordingly.) -
timb_nz, Thanks for the very detailed instructions :) and thanks to you rotblitz for the link, i can see that this address was blocked js.tongji.linezing.com, now i just ahve to figure out what PC in my network the request came from. Time to check out the the router logs!
Thanks again both of you, most helpful :) -
You're welcome! Looking at your top domain extract above I'm seeing that far too many internal lookups are unnecessarily forwarded to OpenDNS. You may need to configure your internal DNS server to be more selective...
All those *.internal should not be seen at all. -
Humn, yes i thought this, we have a DLink DIR-855 Quadband N wireless router, but im not quite sure what DNS settings to alter. Here are my settings so far. Looks like i also need to check what devices are accessing my network as i have no idea who / what device with host name YBP20514R is even though I have enabled WPA-Personal on both the standard Wifi Network and the 5Ghz network.
Here are my settings for the DNS server:
http://img444.imageshack.us/img444/8461/dlinksystemsincwireless.jpg
Any ideas as to how to improve my config and stop these internal requests being forwarded to OpenDNS?
Thank you again for your time, it's been a great help! -
"Here are my settings for the DNS server: ..."
Sorry, this is nothing to do with DNS server settings, it's just a part of router settings. I was assuming you run an own DNS server, but I may be wrong. The picture shows your LAN settings on the router, which is nearly nothing to do with DNS, but may be fine to improve the behavior of your router...
"Any ideas as to how to improve my config and stop these internal requests being forwarded to OpenDNS?"
Yes, I would like to suggest to play with those NetBIOS settings shown on your picture. You have disabled it, and therefore every lookup goes out, even for internal lookups.
1 to 7 of 7
This discussion has been inactive for longer than 30 days, and is thus closed.
