CFP.exe DNS request on port 53: ThePlanet.com what is that??? (again)

this has already happened to another user. And I was the only user in this forum to answer his question, just to tell him that I had some traffic from the same IP blocked. And today I got what he had, a beautiful DNS request, and I really expect some explanation. Isn’t port 53 reserved to a user’s own Internet Service provider, and not to any other one? I’m not a network specialist, so if there is another possibility just let me know this time.

and see here:
https://forums.comodo.com/help_for_v3/cfpexe_strange_dns_request-t18070.0.html

first time that happened was when online lookup and file submission became unavailable for everybody during 24 hours, and there hasn’t been a word about it, no explanation, nothing.
https://forums.comodo.com/bug_reports/online_lookup_bug_items_not_checked_submitting_files_stopped-t18162.0.html
at the moment online lookup works.

when I block this IP: 74.52.245.98, online lookup becomes impossible.

[attachment deleted by admin]

Port 53 is used by all DNS servers. Whether you use your ISP or not. Looks like CFP is using a DNS server at The Planet to look up information about your submitted files. Don’t know what they really doing, though-maybe Comodo will comment on their implementation. PURE SPECULATION:: A DNS accepts a UDP over port 53 as an entry in one table (a domain name) and sends you back a response by cross referencing to another table (an IP address). I could certainly make one of these into a file lookup machine if I wanted to. :slight_smile:

I know all dns servers use port 53. But finding a connection to another ISP in the connection list is rather seldom, I actually never saw it before. And yes I’d love Comodo to tell us why they use it, and why online lookup is blocked when ThePlanet.com IP is blocked (by me).

I quite understand that all traffic goes through our respective Internet providers, and it is normally perfectly transparent. ISPs never appear in a connection list or in a log. Again, I’m not a network specialist and in that matter I just don’t know what’s normal and what’s not.
(I probably make a mistake by thinking a DNS server is necessarily linked to an Internet Provider, likeThePlanet.com is, the only thing I know and that’s not much is that a DNS server translates an email address or a domain name into an IP number and vice-versa)

Take a look at the edit to my previous message for a wild guess at what might really be going on. :wink:

OK thanks.

I don’t know if the referenced wild guess is correct or not. But once again google can be our friend so I
googled “theplanet.com” which seemingly does web hosting for a wide variety of legitimate companies.

But it also is sometimes used for illegitimate uses as the following rated R link shows.

http://forums.theplanet.com/lofiversion/index.php/t85131.html

While the link gets rather profane and insulting, it does show that it may pay to research exactly what the theplanet.com is doing on your computer. It might be up to a bunch of no good

I am reasonably confident that Comodo is not up to no good, thus the wild guess. The calls come from CFP; if you think Comodo is up to no good, perhaps we should find another security system? :wink: It is really just one simple way to do the function. But maybe Melih or someone from Comodo can give a better explanation.

hopefully yes
again, one day before another user found this same connection in his log, I had a UDP in naturally blocked by CFP from guess who: ThePlanet.com. A couple of hours after that CFP online lookup was becoming unavailable for many users. I went through a reinstall of CFP in between and didn’t keep the log.Sounds like CFP couldn’t block it today. And I insist: when you block ThePlanet.com IP manually, online lookup becomes impossible.

The fact that online lookup becomes impossible when you block ThePlanet.com helps lead to the wild guess that they are using a DNS server to do it. :slight_smile:

hi guys

The Planet is a decent outfit where we host some of our servers!

We use many data centers around the world and The Planet is one of them!

thanks
Melih

OK, but I’d rather see a Comodo IP instead of a server like that when I submit my files with CFP. Also this IP is the general IP of an Internet Provider and the data is sent on port 53, which means we have no idea where the data goes after that, before it gets to Comodo. Decent or not, this server does not represent Comodo and cannot be, in my opinion, so directly linked to our computers. You can use and run as many servers as you wish, as long as you control them, and as far as I know you do not control ThePlanet.com. You can’t expect from us users that we just put our data in the hands of an Internet Provider called ThePlanet.com and whatever happens to the data when it reaches the server, trust the feedback that we get in CFP. This is absolutely insecure . Also we haven’t been warned that such methods would be used, and although I’ve been using Comodo products for a while now, I might reconsider whether I’ll continue.
If we users say yes to the presence of such a server, why not accept any traffic from CFP to any server in the world then, send them data and let them make statistics on the programs we run…sorry, but no. I encourage anyone from now on that keeps running this firewall to stop submitting files, and of course disable automatic online lookup and file submission.

adding: a direct SSL connection to a Comodo server (or servers), and no one else, would have been appreciated.

OK I’ve been posting on this forum for more then a year now (with other accounts), and this is the first time I have a major disagreement with Comodo itself. I’m extremely disappointed. When Comodo becomes 100 % Comodo again, please let me know.
And by the way that would be nice if for a start you gave the users a complete list of the servers that they should trust. CFP is supposed to bring more security on a computer and also more control on its network connections. What happens now is just the contrary. Who would accept a direct and repeated connection to an unknown server, would you Melih?

                   regards
                   Leopard19

This whole Theplanet.com thing has evidently struck a nerve.

I think the sdif comment that follows is the wrong way to look at the problem—if you think Comodo is up to no good, perhaps we should find another security system?

The point being, we trust comodo, we also know that theplanet.com is mostly a legitimate outfit, but we also find out that theplanet.com has less than a total perfect record and has been misused by
the “bad guys” to web host their dissemination of malware trojans. So we can’t totally trust theplanet.com

But long long odds, anything incoming to our computers from theplanet.com will be legit because its coming indirectly from comodo. But it would be nice to have a way to test if its coming from illegitimate sources that are misusing theplanet.com

So question, can anyone think of a way to make that discrimination? Or something comodo could do from its end that hackers could not duplicate. So even if the “bad guys” can get use of theplanet.com servers, and those same theplanet.com servers basically have an open route through the comodo3 firewall, the hack would still fail because the content is not from comodo.

I can only agree with you Osage. Don’t know if you read it by I already had a blocked incoming UDP connection from ThePlanet.com found in my log, a few days ago.

I have raised it with Operations guy as to the status.

I agree it should be a Comodo IP.

Melih

thanks Melih, I’m really happy about that (:CLP)
it would have been the first time that a serious issue would be ignored by Comodo, but once again you’ve proved to be very responsive and positive :■■■■

ok first response i have is: due to latency they have scattered the servers around the world so that there is less network latency when you do online lookup.

they are now going to look further into seeing what can be done.

thanks
Melih

OK no problem, hope it’ll work.

adding: I can easily understand how difficult it could be to centralize everything on Comodo servers, considering the amount of data potentially sent every day from CFP with users installing new software, and considering possible latency issues. I already wondered since the beginning of CFP 3.0, how you could make it possible. But for the reasons I already gave in the above posts and that you seem to understand, it would really better for everyone to remain 100 % Comodo all the way long and avoid “third party” servers between you and us.

Does BOClean use theplanet.com for its daily updates as well as cfp?

Nice 1 Matty

no idea cause I don’t use BO Clean, but I’ve thought earlier today that the blocked UDP incoming connection I’ve had from ThePlanet.com was most likely related to CFP update auto-check.

Do you have a block on theplanet.coms IP address because if it what the auto update-check it would have been allowed through wouldnt it?

Nice 1 Matty