I’ve been using Comodo just a couple of months (firewall only) so this is probably something I haven’t set correctly. . . if anyone could advise me I’d be very grateful.
I’m finding the firewall is blocking UDP packets from my ISP’s DNS servers. I put the two server addresses into a Zone and set this global rule in Network Security Policy to allow it:
Allow and log UDP in from In [ZenDNS] To In [Local Area Network #1] Where Source Port Is Any And Destination Port Is Any
(The traffic always comes from port 53 on the servers, but is directed to random ports on my PC.)
This didn’t work, so I moved up the rule. It is now first in the list, but still Comodo is blocking UDP from the servers.
Could anyone tell me what I am doing wrong, please?
Hello adioz86, and thank you very much for the reply.
Browsing works fine, the problem is not with normal DNS lookup queries but these occasional UDP packets from my ISPs servers. They only seem to occur a couple of times a day. I don’t know if they’re in answer to some request from my computer, or whether it is originating at the ISP’s end, checking the connection or something like that. I use Firefox if that’s relevant.
I do use a router, a Netgear DG834 v4. Actually this is partly why I’m seeing this problem now I saw in the router’s log that it was blocking these packets, interpreting them as a port scan. So I set a rule to allow them – and now they’re reaching Comodo and being blocked there.
Here is a screenshot of the firewall log, and thanks again for taking the time to help me.
If your computer sends a query to a DNS server, this connection is also used for answer from ISP.
What your log shows, is a DNS query from your ISP to your computer, but that makes no sense. So i would block this traffic, cause everything works fine and your ISP don’t need a DNS lookup at your computer.
I appreciate your reply, but I think you’ve misunderstood. The fake “port scan” is not on one port. If you look at the log, the UDP packets are always sent from port 53 on the servers, but to different ports on my computer: i.e., they don’t match. This, I am sure, is why the router blocked them.
I think the packets ARE being sent in response to a query from my PC, but not to the same port. And when this happens, Firefox immediately (too quickly for it to have actually tried to resolve the name) says it can’t find the server at wherever. If I press Retry it works.
So I would like to allow the traffic. The rule I set looks okay to me and I don’t understand why it shouldn’t work.
I think the packets ARE being sent in response to a query from my PC, but not to the same port. And when this happens, Firefox immediately (too quickly for it to have actually tried to resolve the name) says it can't find the server at wherever. If I press Retry it works.
You can confirm this using wireshark to see if it is a standard quary response, if it is than it most likly means that it is taking to long for a response to reach your computer, in other words timing out.
So I would like to allow the traffic. The rule I set looks okay to me and I don't understand why it shouldn't work.
The rule you created is only used if you are running some kind of service over udp and you want people from the internet to be able to access that service, but most likly beacause of slow dns responses this is not neccessary and you should delete the rule from both comodo and your router because what is happening is that comodo and your router is blocking the slow responses because there is no connection to receive the responses. In other words the application requesting dns resolution in this case firefox, is closing the connection after so many seconds and when the response does come back firefox is not going to get it or accept it.
Using another program I managed to see the content of these packets, and they were all names of sites I hadn’t visited, but which were loosely related to ones I had been browsing. I found one site that reliably provoked four or five packets every time, and with a bit more digging, found out what was happening: the culprit was Firefox, using its DNS prefetch function.
After the page has loaded, FF sends out queries for all the links on it in case you MIGHT want to click on them later These go out from random ports, e.g. in the last batch from my log, 1664, 13860, 17309, 15241. So when the replies come back, they don’t look like standard DNS responses and were rejected by first my router, then Comodo.
This apparently is default behaviour for FF. I’ve now disabled it with an about:config entry, so no more mysterious log entries! Still don’t see why Comodo wouldn’t accept my Allow rule, though. EricJH, the rule was first in the list.
Thanks again, and I hope this might help someone else.