That is Google's Public Domain Name Server. It is probably responding to a request from your computer and the computer thinks the response is stealth connection attempt.
I actually found this post while researching firewall logs from my router. Coincidentally, I just got a new MacBook Pro a few days ago, and I hadn't even noticed any of this type of behavior in my Console logs. Anyway, I'm actually somewhat confused about this myself, & I'm an Information Security Analyst for goodness sake. Here is what I'm seeing in my 2Wire Gateway firewall logs for the past 30 hours or so, filtered for: INF & named-
(Just an FYI, I have U-Verse with 12Mbps DL and 3 Mbps UL speeds)
INF
2010-10-16T20:44:35-04:00 named: dropped malicious resp from 68.94.156.1
INF
2010-10-16T20:47:08-04:00 named: Previous log entry repeated 20 times
INF
2010-10-16T21:28:32-04:00 named: dropped malicious resp from 68.94.156.1
INF
2010-10-16T21:31:12-04:00 named: Previous log entry repeated 26 times
INF
2010-10-16T22:12:37-04:00 named: dropped malicious resp from 68.94.156.1
INF
2010-10-16T22:15:12-04:00 named: Previous log entry repeated 25 times
INF
2010-10-16T22:56:34-04:00 named: dropped malicious resp from 68.94.156.1
INF
2010-10-16T22:57:40-04:00 named: Previous log entry repeated 13 times
INF
2010-10-16T22:58:10-04:00 named: dropped malicious resp from 68.94.156.1
INF
2010-10-16T22:58:24-04:00 named: Previous log entry repeated 9 times
INF
2010-10-16T23:16:31-04:00 named: dropped malicious resp from 68.94.156.1
INF
2010-10-17T02:47:47-04:00 named: Previous log entry repeated 247 times
INF
2010-10-17T13:57:26-04:00 named: dropped malicious resp from 68.94.156.1
INF
2010-10-17T20:49:54-04:00 named: Previous log entry repeated 564 times
INF
2010-10-17T21:20:57-04:00 named: dropped malicious resp from 68.94.156.1
INF
2010-10-18T00:19:38-04:00 named: Previous log entry repeated 812 times
INF
2010-10-18T00:21:03-04:00 named: dropped malicious resp from 68.94.156.1
INF
2010-10-18T00:22:05-04:00 named: Previous log entry repeated 12 times
INF
2010-10-18T00:37:54-04:00 named: dropped malicious resp from 68.94.156.1
INF
2010-10-18T01:03:24-04:00 named: Previous log entry repeated 37 times
INF
2010-10-18T01:05:05-04:00 named: dropped malicious resp from 68.94.156.1
INF
2010-10-18T01:23:53-04:00 named: Previous log entry repeated 214 times
That's approximately 2000 dropped malicious connections from 68.94.156.1... Which also happens to be my freaking PRIMARY DNS SERVER via SBC, or AT&T whichever you want to call them. It doesn't really seem like a DNS poisoning or anything & I'm not having any problems as far as reaching web pages, so I have to admit I'm somewhat befuddled. You'd think after spending over $50,000 on an education, which includes a degree in Computer Network Systems plus a bunch of certifications no less, that I should probably be able to figure this out. Of course I have been up for 2 days straight, so who knows.
I think this post is a little old, but I was hoping someone might have some new thoughts, information, insight or hopefully some type of answer by now. I'll be doing some more work on this, but I was hoping that somebody had a quick answer for this if it gets put back at the top. Especially since this is a MAC forum! 😉
Thanks for any help; it would be much appreciated!
WhiteHatH4x0r
Information Security and Intelligence Analyst
