DNS Client access, to block or not to block?

system · December 10, 2008, 11:03pm

Well, I was just wondering if I should allow my known legitimate apps(processes) from accessing to the DNS Client service. I ask this, as I always block it. I don’t see the need to allow, as the apps will still communicate with the update servers, for example. Is there really a need to allow such? Will those processes, specially those belonging to security apps not work 100% (as in not offering 100% protection)?

Best regards

Sandwater · December 19, 2008, 12:46am

Well, I couldn’t tell you the best thing to do. But I do do what you asked about. Almost all my programs I’ve set to block. Just cause. It’s like having at least one thing stable. I know my adobe pgms or notepad tools, etc can’t call whoever it is they always want to call. I set a few to ask, like vlc cause I use the radio, but most to off.
I don’t need programs to update themselves, I’ll let them do it when I want to. lol.

We are the startup manager!

Take control, tell 'em no!

Oh, except for the security apps I got going. I leave them alone. Gotta get the updates and I think they need access to whatever they need to look at to do their jobs. Except for CMF as it doesn’t seem to ever update, though I noticed turning updates off doesn’t seem to free up it’s memory usage any faster.

And I haven’t had any problems. Oh, I get a DCOM error in the event viewer every time I fire up photoshop, so what.

But, I’m not on a home network either, so that is something to take into account. Like if you share a printer through another puter. Then you might want to set whatever you print with to ask. And don’t forget, if you do need to set things to allow, you can set that rule to log it every time, just so you know what’s going on.

system · January 2, 2009, 12:12pm

Sandwater post:2:

Well, I couldn’t tell you the best thing to do. But I do do what you asked about. Almost all my programs I’ve set to block. Just cause. It’s like having at least one thing stable. I know my adobe pgms or notepad tools, etc can’t call whoever it is they always want to call. I set a few to ask, like vlc cause I use the radio, but most to off.
I don’t need programs to update themselves, I’ll let them do it when I want to. lol.

We are the startup manager!

Take control, tell 'em no!

Oh, except for the security apps I got going. I leave them alone. Gotta get the updates and I think they need access to whatever they need to look at to do their jobs. Except for CMF as it doesn’t seem to ever update, though I noticed turning updates off doesn’t seem to free up it’s memory usage any faster.

And I haven’t had any problems. Oh, I get a DCOM error in the event viewer every time I fire up photoshop, so what.

But, I’m not on a home network either, so that is something to take into account. Like if you share a printer through another puter. Then you might want to set whatever you print with to ask. And don’t forget, if you do need to set things to allow, you can set that rule to log it every time, just so you know what’s going on.

I agree. But, I also have access to it blocked to all security apps that ask access to it, including the security apps. They still update fine. I really don’t get it why they would need such access. After all, blocking access to it, won’t prevent apps from still resolving the Domain addresses to the respective IP addresses.

Let’s imagine (Everything is possible, I guess.) that one those security apps we have and that we allow access to the DNS Client gets tampered by malware, then the damage will be bigger than it would be if that security app’s access to it was denied. So, that’s why I think there would be no need for such access, unless, of course, the app would need it to work fine. But, for what I have seen, so far, all my security apps work just fine without allowing access to it.

I also have the access to it, blocked to my web browsers. Once again, I don’t see there is the need to allow such.

rhgtyink · January 2, 2009, 12:16pm

The DNS Client service is just a “local cache” it’s better to disable the service if you don’t want windows to “cache” dns requests for you, check ipconfig /displaydns.

Sandwater · January 2, 2009, 8:39pm

Hi, ok, so the DNS Client service isn’t required for network activities, it’s one of those speed it up tools?
Didn’t know that and my understanding of the basics of networking is thin. Thus I turn things off…

From a security point of view, Comodo FW option to deny access to this is because an address could be modified or added?

Speaking of turning things off, thanks for the tip us on the DNS Client one. Alway’s happy to find another service to shut down.

system · January 2, 2009, 9:47pm

Disabling DNS Client will decrease the overall performance of the system.

You have a great article from Microsoft here - http://support.microsoft.com/kb/318803/en-us

Here, one vulnerabilty (no longer exists, don’t worry) - http://www.microsoft.com/technet/security/bulletin/ms08-020.mspx

You don’t need to disable it. Just set Defense+ to ask you if you want or not to allow access to it and then block it.

Sandwater · January 4, 2009, 1:22am

That’s right, that’s my policy with most of my programs, I don’t allow them access without asking.

I did disable the DNS Client service. I haven’t noticed any poor behavior at all. Maybe that is a tool that helps dial up more. I use a basic broadband connection. And that svc was standing alone, disabling it got rid of a svchost, though memory didn’t budge much. So, I don’t think getting rid of it helped performance. But it’s so much fun to turn them off! I’m running outta processes!

And, even with that service disabled, programs still ask to use it.

system · January 4, 2009, 11:45am

About the performance issue, it only happens in certain situations as you also could find in the first link I gave.

Have fun with DNS Client.

Best regards