Author Topic: How to create "generic" rules for all DNS requests?  (Read 2606 times)

Offline TerDale

  • Comodo Member
  • **
  • Posts: 29
How to create "generic" rules for all DNS requests?
« on: August 17, 2006, 06:21:38 PM »
I'd like to be able to create generic rules for all the requests done to the DNS server(s), whatever the application.

AFAIK this is not possible to specify in the app monitor, as it is not possible to tell "any app". that would have been quite risky to offer such a feature here, so I can understand it is not possible.
As a workaround, I attempted to create 1 new network rule for each of my DNS servers:
- each rule being something like "Allow UDP out from [Any] to [DNS server IP address] where source port is [any] and remote port is 53" (a stricter rule would have set as well the source port as 53, but let's forget it)
I hoped that would prevent to be prompted for each application trying to resolve an IP address, but it actually didn't help.

So, is there any way to tell CPF to allow UDP traffic out to port 53 to a list of a few given remote IP addresses?

TIA

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: How to create "generic" rules for all DNS requests?
« Reply #1 on: August 18, 2006, 03:18:47 PM »
I'd like to be able to create generic rules for all the requests done to the DNS server(s), whatever the application.

AFAIK this is not possible to specify in the app monitor, as it is not possible to tell "any app". that would have been quite risky to offer such a feature here, so I can understand it is not possible.
As a workaround, I attempted to create 1 new network rule for each of my DNS servers:
- each rule being something like "Allow UDP out from [Any] to [DNS server IP address] where source port is [any] and remote port is 53" (a stricter rule would have set as well the source port as 53, but let's forget it)
I hoped that would prevent to be prompted for each application trying to resolve an IP address, but it actually didn't help.

So, is there any way to tell CPF to allow UDP traffic out to port 53 to a list of a few given remote IP addresses?

TIA

To do so go to just disable the follwing option :

Security->Advanced->Application behavior analysis->Monitor DNS Queries


Offline TerDale

  • Comodo Member
  • **
  • Posts: 29
Re: How to create "generic" rules for all DNS requests?
« Reply #2 on: August 21, 2006, 04:51:56 AM »
Thanks for the tip egemen, but I don't think it fills the bill: I don't want to allow any DNS request to any DNS server (what sounds to be the case once I disabled this option), I want to create a rule for each of the 3 DNS servers of my ISP to allow any app to make queries, but only to these specific servers.
So, is this possible to reach such a result?

Offline remoss

  • Comodo Member
  • **
  • Posts: 25
  • Just me...
    • Mossinkoff Online....
Re: How to create "generic" rules for all DNS requests?
« Reply #3 on: August 21, 2006, 05:59:53 AM »
So instead of "Security->Advanced->Application behavior analysis->Monitor DNS Queries" you want to have somthing to marklike "Allow DNS queries on port [nn] and IP[nn] globaly" where the nn is user input and can be a single value or a range?
Kind of a global rule and so valid for all programs? I like the idea.

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: How to create "generic" rules for all DNS requests?
« Reply #4 on: August 21, 2006, 07:35:18 AM »
Thanks for the tip egemen, but I don't think it fills the bill: I don't want to allow any DNS request to any DNS server (what sounds to be the case once I disabled this option), I want to create a rule for each of the 3 DNS servers of my ISP to allow any app to make queries, but only to these specific servers.
So, is this possible to reach such a result?

What you can do is to disable monitor DNS requests option and create a network control rule having the following semantic:

BLOCK UDP OUT FROM IP ANY TO IP NOT ipaddressofdnsserver WHERE SOURCE PORT IS ANY AND REMOTE PORT IS 53

You need to add such a rule for each of the dns servers you need to allow.


Offline remoss

  • Comodo Member
  • **
  • Posts: 25
  • Just me...
    • Mossinkoff Online....
Re: How to create "generic" rules for all DNS requests?
« Reply #5 on: August 22, 2006, 02:49:10 AM »
Won't that give problems for programs witch uses UDP for other reasons besides DNS? Like torrent programs?

Offline Herschel

  • Newbie
  • *
  • Posts: 16
Re: How to create "generic" rules for all DNS requests?
« Reply #6 on: August 22, 2006, 03:16:36 AM »
It seems to me that this rule would only allow 1 dns server.  Similar rules below it would never be reached!

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: How to create "generic" rules for all DNS requests?
« Reply #7 on: August 22, 2006, 01:57:29 PM »
It seems to me that this rule would only allow 1 dns server.  Similar rules below it would never be reached!

Yes. Did not notice it. Thank you for the corection. We need a way to define IP grouping.

Offline TerDale

  • Comodo Member
  • **
  • Posts: 29
Re: How to create "generic" rules for all DNS requests?
« Reply #8 on: August 24, 2006, 03:11:15 PM »
So instead of "Security->Advanced->Application behavior analysis->Monitor DNS Queries" you want to have somthing to marklike "Allow DNS queries on port [nn] and IP[nn] globaly" where the nn is user input and can be a single value or a range?
Kind of a global rule and so valid for all programs? I like the idea.
Would say instead "Allow UDP requests on port...", with the rest as you say, yes that's what I'd like to have, instead of having to create 3 specific rules for each and every of my allowed apps (1 rule for each of the 3 DNS servers).

What you can do is to disable monitor DNS requests option and create a network control rule having the following semantic:

BLOCK UDP OUT FROM IP ANY TO IP NOT ipaddressofdnsserver WHERE SOURCE PORT IS ANY AND REMOTE PORT IS 53
We need a way to define IP grouping.
Anyway, even with IP grouping capability (what would be great BTW), are you sure that your above solution would work? I'm afraid it won't. Indeed, following your recommendation, I tried to disable "MOnitor DNS reqs", and created 1 "allow" rule for each of my IP server (as described in my initial post). But it didn't help, I was still prompted for each new app attempting to resolve an IP address.

Do you think that would be considerable to have such a possibility in a next version?

TIA

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: How to create "generic" rules for all DNS requests?
« Reply #9 on: August 24, 2006, 04:00:25 PM »
Would say instead "Allow UDP requests on port...", with the rest as you say, yes that's what I'd like to have, instead of having to create 3 specific rules for each and every of my allowed apps (1 rule for each of the 3 DNS servers).
Anyway, even with IP grouping capability (what would be great BTW), are you sure that your above solution would work? I'm afraid it won't. Indeed, following your recommendation, I tried to disable "MOnitor DNS reqs", and created 1 "allow" rule for each of my IP server (as described in my initial post). But it didn't help, I was still prompted for each new app attempting to resolve an IP address.

Do you think that would be considerable to have such a possibility in a next version?

TIA

When DNS Monitoring disabled, make sure you also have Windows DNS Client Service is enabled. Otherwise, all applications will still make their own queries. If it is started, then only svchost.exe will issue such requests.

Btw, you need to add these rules to network monitor.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek