Harry,
Thanks. Your reply now further clouds my investigation. I can see from
the dlink forum thread that the "Advanced DNS Service" of my router
auto-magically lock in the 204 DNS addresses. Perhaps these may be
semi-private DNS addresses granted to dlink from 302 Direct Media LLC. I
also see the linkage between OpenDNS and its' parent Direct Media LLC.
This confusion will have to wait. I have disabled the "Advanced DNS
Service" in my router and redirected back to my local DNS servers.
You second share is more bothersome. Thanks for the info. I suppose I
need to get a better IP tracer app. I use NeoTrace v3.25.
Whoever/Whatever this server is, I do feel I am being chronically
probed. Luckily the router is fully blocking the requests ATM.
I log these connection requests from "their" servers port range of
~49347-64216. My docs indicate that these are "Dynamic and/or Private
ports."
The connection requests always try my ports:
80, HTTP
81, Host2 Name Server
139, NetBios Session Service
443, HTTP protocol over TLS/SSL
515, Printer Spooler
2191, TvBus Messaging
9100, Printer PDL Data Stream
I can sorta understand the first 4 because I would use these normally
for browsing and email. The 2191 may be because my ISP offers TV via
their fiber network. I do not do TV yet! The 515 and 9100 will need some
more local research; suspect this may be my Brother network printer. It
has a very confusing and badly documented print server. ATM, I will
accept these 2 as just plain MY BAD. LOL!
I will continue to study my router's docs to find out if I can just
block the "local" ip addy. The DGL4500 seems to hide this feature really
well. I may bring my older DGL4300 router back online. It has a direct
selection for blocking (black-listing) ip addresses.......... :)
Thanks,
Duncan
On 11/15/2010 01:36, Harry McGregor wrote:
On 11/14/10 4:56 PM, DSinc wrote:
Josh,
Understand, but the router's log file (weekly) is quite large
(220KB). If you would like a look, I can try and copy a portion into
an off-list email to you.
The router is set for DHCP on the WAN side. And, initially used the
ISP's local dedicated DNS Servers. Since I changed the DNS selection
to "Dynamic", the DNS windows are grayed out and now show DNS servers
I trace to ATT......
204.194.234.200 (p)
204.194.232.200 (s)
Those are not ATT DNS servers, almost anything ATT is 12.0.0.0/8
A whois on the IP addresses:
OrgName: 302 Direct Media LLC
OrgId: DIREC-107
Address: 548 Market St #25810
City: San Francisco
StateProv: CA
PostalCode: 94104
Country: US
Now, from a BGP perspective, they get transit from Level3 and ATT
(http://www.robtex.com/as/as30607.html)
I don't think these are coming from your ISP, read this page:
http://forums.dlink.com/index.php?topic=5064.0
As to host-68-169-188-189.mapoltl.epb.com , that seems to be unrelated,
it's a virtual server in a colo in LA, and has a ton of domains on it,
and could be scanning you, or trying to infect you with malware, no real
clue on it
.
Harry
Still confused,
Duncan
On 11/14/2010 03:02, Josh MacCraw wrote:
Port addresses would be helpful in determining what the traffic is.
You router should be in DHCP mode for the WAN which will in turn give
you the valid DNS servers for you ISP.
On 11/12/2010 9:27 AM, DSinc wrote:
I have a new ISP (epbfi.com?). They have their own DNS servers:
66.18.32.2 (p)
66.18.32.3 (s)
My router is a DLink DGL4500; so I set it to point to the ISP's DNS
servers.
I am trying to figure out why my router is being hammered by another
server of my
ISP. I say hammered because my router's log file fills up with
[info] listings of
blocked requests from another ISP server to my assigned IP addy. The
server is:
host-68-169-188-189.mapoltl.epb.com
Yes, I could just deselect [info] objects from my router's log file.
I've spoken to the tech support staff. They tell me I am getting
"reverse DNS
routing" stuff. I was told to remove my router's dedicated DNS
assigns and set my
router to "dynamic." I think I have done this.
<snip>
