dns requests not going through svchost.exe

Hi,

Short summary:
Since I am running comodo firewall I am experiencing a strange behavior of Windows XP: All applications directly try to connect to the DNS server UDP port 53 in order to query the DNS (e.g. firefox contacts DNS server UDP port 53). Despite the DNS client service (dnscache) is running fine. They used to do that through svchost.exe.
Any idea how to change this back to using svchost?

Long explanation:
Before I used Agnitum Outpost. There I had a rule allowing svchost.exe to connect to my DNS servers. All DNS queries on behalf of running applications were done through svchost.exe. Fine!

Then I uninstalled Outpost since I was not very convinced of it and installed Comodo. Since then, all applications directly try to query the DNS server. They do not use svchost.exe any more.
Well, of course, I could set up rules to allow each application to query the DNS. But having already around 100 application rules and then adding another 80 just to make DNS work makes everything very error prone. A situation I would like to avoid.

I have extensively searched the web for a solution with no outcome. I know this might be a question which should be directed to Microsoft. But since this behavior appeared with the installation of Comodo and since I hope someone here might already experienced this, I would like to ask it here:

Does anybody have a hint how I can tell Windows XP to use the DNS client cache again? Or - do you know if Comodo is involved in the fact that dnscache is more or less disabled?

I know if I would disable the DNS client service, I would experience exactly what I do now. But:

• the DNS client service (dnscache) is enabled and running. Sysinternals’ ProcessExplorer shows it (C:\WINDOWS\system32\svchost.exe -k NetworkService). Also ‘sc query’ shows it running:

SERVICE_NAME: Dnscache
DISPLAY_NAME: DNS Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

• A ‘ipconfig /displaydns’ always shows me an empty DNS cache - except for the entries in my hosts file. Therefore I assume the dnscache is not in use.

• Comodo already catched services.exe to call svchost.exe in order to make a DNS request. Therefore I expect the dnscache to work fine.

• I checked my registry under ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters’. Only one string is in there:
  ServiceDll → %SystemRoot%\System32\dnsrslvr.dll
  So I assume there has not been done any tweaking of the dnscache parameters. But of course, this is windows where you can never be sure.

So I think my dnscache is running fine but applications are simply not using it.

I really do not want to nearly double the number of rules in my rules set with senseless entries. At least not as long as you cannot give your rules a name.

Thanks in advance for your help!

Regards,
Schlonz

Well, this is not an answer… but something similar is happening to me.

Comodo seems to interfere with the name resolution facility of my system.

I have experienced the following behaviour:

When COMODO is running, is active and properly configured it is possible to ping, surf, share resources and the like both on my private network and in the network of the istitution I work for.

However, if I set the security level to PASS ALL or if I disable the firewall, suddenly I lose the ability to ping servers by name.

I think something pretty much similar to what it is described in the previous post happens, because I noticed the dns cache to stay empty as well.

Uninstalling COMODO solves the problem as name resolution come to life again.

This behaviour is very reproducible on my computer (Acer Aspire 1510 running Win Xp SP2).

Unfortunately I have no clue of why this happens, but I hope somebody can help me because I would like to kepp using this firewall!

Bye bye

Hi soppelsa,

I am not sure whether I can help you. I am by no means a comodo specialist :). But maybe we can pinpoint the problem.

I am also rather convinced that we are having different problems. If I understood right, your comodo might have problems to disable itself correctly and sounds like disabling your OS’ ability to use DNS. If something like that happens, it is understandable that the DNS cache is empty.
Whereas my comodo instance (or my windows installation) has troubles to use the dns client service.

Regarding my problem I am still at the same point as when I wrote the posting above. No success so far

Regarding your issues with comodo - do I understand them right:

Comodo is up and running. => no problems.
You adjust the computer security level to ‘Allow All’ => You cannot ping servers by hostname. BTW: I do not experience this problem. If I set ‘Allow All’ it seems that every package is going through fine.

Then i have a couple of questions:

1) How do you ‘disable the firewall’? I for instance cannot disable the firewall service process (it does not allow this). The only thing I can do is to set the security level to ‘Block All’, ‘Custom’ or ‘Allow All’.

If security level is set to ‘Allow All’:

2) What exact error message do you get from ping?

3) Can you then successfully ping the IP address? If not, which error message do you get?

4) Can you successfully ping the IP address of your DNS server?

5) Does the command ‘nslookup www.comodo.com’ in the windows command line correctly resoves the host name to its IP address? nslookup is supposed to work a little bit different than everything else since it always does DNS lookups by its own.

6) Did you find anything suspicious in the firewall or windows logs?

Regards,
schlonz

schlonz,

I only see one possibility, really, for your scenario, and that is that somehow svchost.exe is being blocked by Comodo - either at application or network level. If you set to Allow All and it works fine, that says we have a rules issue somewhere in Comodo.

Are there any log entries showing a block for Application (or Application Behavior) relating to svchost.exe, or Network traffic being blocked relating to Port 53?

LM

PS: soppelsa, I think schlonz had some excellent questions to help diagnose your issue; it may very well be a different issue.

Hi Little Mac,

First of all, thanks for your help, it is very appreciated!

I did not find the solution so far but at least your hints brought me one step further:
If I set the security level of Comodo to ‘Allow all’ my DNS cache (ipconfig /displaydns) gets populated! As soon as I activate the ‘Custom’ level, DNS cache again is ignored.

For me that means the dnscache and windows are fine. But as you already mentioned, comodo might block svchost somehow.

That leads to the next problem: I cannot find any hint that comodo blocks it. If you look at my setup below, there is only one single blocking rule which also logs. But in the logs I do not find any hint.

There is only one thing:

1. I try ‘telnet www.comodo.com 80’. (No rules for telnet.exe exist)
2. Comodo pops up with three questions:
   a) telnet.exe connecting to DNS server1 port 53 UDP
   b) telnet.exe connecting to DNS server2 port 53 UDP
   c) telnet.exe connecting to web server port 80 UDP

If I am very fast with clicking positive answers, nothing gets logged. If I am too slow, Comodo logs one line:
Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
ICMP Outgoing from my IP address to (most times) the second (sometimes the first) DNS server.
The reason is my catch-all-block-everything network rule which is supposed to block and log everything not specifically allowed.

I also tried to activate ‘Advanced/Miscellaneous/Do not show any alerts for the applications certified by comodo’ for testing. It does not change the dnscache behavior.

My setup looks as following:

*) Component Monitor: Learn Mode.

*) Application Monitor: Not a single blocking rule.

*) Network Monitor: only one blocking rule (the last one): Blocking and logging any IP protocol traffic. There are some other ICMP, IP and TCP/UDP rules before which allow traffic. This includes the basic rules Comodo came with.

*) Advanced: Application Behavior Analysis: everything activated.

*) Advanced: Advanced Attack Detection and Prevention: Intrusion Detection settings are default; Miscellaneous settings are alle activated except: ‘Do packet checksum verification’ and ‘Monitor other NDIS protocols than TCP/IP’.

*) Advanced: Miscellaneous: Alert Frequency Level is set to ‘Very High’. Everything else is activated except ‘Do not show any alerts for the applications certified by comodo’.

Yes, I am sitting in a NAT environment with a small cisco pix between the outside world and my network. I do not expect it to be involved in my issues since its setup has not changed for a long time and my problems seem to be related to the computer running comodo only.

I do not expect my computer to be compromised in any way. I am quite paranoid about security, running NOD32, etc. Just in case, I did not mention before that I am running SP2 on Windows XP with all automatic updates installed.

Somebody any idea? Thanks in advance!

Regards,
schlonz

You may need to allow your DNS server to Ping you (which would currently be dropped by default Network rules). If so, it will be in the logs. You can export the logs and upload here… Go to Activity/Logs. Right-click and select “Export HTML.” Save the file and reopen it (it will open in your browser).

If the log is not too large, you may copy and paste into your post here; this will keep the formatting the same for easy reading. If you have had the issue in the last few minutes, you can copy/paste just a portion of the logs for that purpose and we’ll see what’s there. In these cases, you may mask/edit your personal IP address if it shows for privacy (this will match the IP showing in the lower right corner of your posts here).

If the file is large/extensive, you may want to compress it to a .zip format and attach to your post using the Additional Options below the textbox. Then we can review and see what we see.

Have you tried doing a dns flush or release, and then renewing it?

LM

This is not a reply with a solution. just wanted to add that I am also having the same problem as schlonz and is really looking forward to a resolution on this.

On a further note, I am not sure if this has any effect, however, I noticed that the newbie installation guide on the forum suggests all to use the Automatic Install and specifically not to use the Manual/Advanced install. I didn’t read that before I tried to install CPF, and I chose the Advanced install. Schlonz, did you use Automatic Install? If not, could this be the reason?

It is a long shot, but I am a newbie and quite clueless so just thought I’d try a stab in the dark.

Hi Little Mac,

I have some troubles following here. On the one side, my problem is NOT that DNS is not working. It works. But just in a very strange way: As long as Comodo is activated, DNS requests are not done through svchost.exe but DNS is queried directly by each application itself. Bypassing the Windows DNS cache and leading to a situation where I have to allow DNS requests specifically for each application. Meaning I end up with nearly doubling the application rules just to allow DNS requests. Error prone, many senseless rules and no dns cache.

Furthermore I do not think that the missing ability of the DNS server to ping me leads to a situation where an application can directly query DNS but svchost cannot.

Also, my router/firewall (Cisco Pix) guarding my NAT network here can be pinged (it allows ICMP time-exceeded, echo-reply and unreachable) from the in-/outside. Pinging from the outside into a NAT network is as far as I know impossible as soon as more than one host is in the NAT network.

Regarding the logs: There are no related to my problem except maybe this blocked PORT UNREACHABLE I described above: First I delete the firewall logs. Next I try to query DNS by using ‘telnet www.comodo.com 80’. As described in the posting above, if I click allow fast enough, we end up with an empty firewall log. If I am slow, I will see this single log:

Date/Time :2007-07-06 19:52:09
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.0.33 
Destination: 195.34.133.22 
Message: PORT UNREACHABLE 
Reason: Network Control Rule ID = 9

192.168.0.33 = my computer. 195.34.133.22 = second DNS. 195.34.133.21 would be the first DNS.
Network Control Rule 9 is my one and only blocking rule: BLOCK and LOG IP IN or OUT From IP [Any] to IP [Any] WHERE IPPROTO is ANY

No other logs.

Regarding flushing the dnscache: I can flush it. Meaning I only have the same entries in there as are in my hosts file. Nothing else. Expected Windows behavior.
Then I trigger a DNS query. Nothing has changed in the cache. Next I set Comodo’s security level to ‘Allow All’ and again trigger a DNS query: The new entry shows up in the cache. Setting Comodo back to ‘Custom’, triggering a DNS query to another hostname: it will not show up in the cache.

What I now also tried was the following: Comodo is running in ‘Custom’ mode. BUT: I turned off Application Monitor, Component Monitor and Network Monitor. Again triggered a DNS query. Nothing showed up in the cache.

Regards,
schlonz

Hi jaster,

Hmmm. I am not sure anymore which way I chose. Since I am quite familiar with IP protocolls firewalls, etc. it is possible that I chose the Advanced install. Maybe during the weekend I will try to uninstall comodo and try the different install options.

At least good to know that we are not alone with our problems anymore

Regards,
schlonz

Tnx for the post, jaster. I’m inclined to agree with you on the install method. I have done the manual configuration of Comodo and had no issues, but that was not until I was intimately familiar with this specific firewall and how to configure it. Doing the Advanced/Manual install requires the user to configure everything. The setup is not as it would be using the default Automatic installation. In my experience, it does not matter how much computer/networking knowledge the user has; this firewall is very different than other firewalls. It seems that our preconceptions of what we think it is or should be get in the way, and problems result (probably 8 or 9 out of 10, in my estimation).

In that scenario, my recommendation would be to:
Disconnect computer from internet (ie, unplug network cable).
Turn off/disable all active security software (antivirus, antispyware, HIPS, etc) - as they tend to interfere.
Uninstall Comodo Firewall, and reboot.
Clean out the registry of leftover/orphaned/rogue entries. You can do ‘by hand’ using Regedit, or automatically with software such as ccleaner or RegSeeker (be sure to make backups of registry). Reboot.
Turn off all active security software again.
Reinstall Comodo Firewall using the Automatic install.

In fact, in this topic there are a couple of install how-tos that might be useful (one video, one written), a set & forget how-to, and some other goodies. Should be a good reference. https://forums.comodo.com/index.php/topic,6167.0.html

LM

That is odd, schlonz. If you turn off All Monitors that is basically the same as setting to Allow All, and should let it work. However, this rules out both Network Monitor and Application Monitor. The one thing it does not address is the Advanced settings. These should be in the logs, though. Also, by default the ICMP Out should be allowed; you shouldn’t get Port Unreachable unless the website is down.

I’m inclined to go with the same advice as for jaster - do a clean reinstall on Automatic. I’m not big on doing reinstalls, but in situations where things are not behaving as they should, it seems to be a very good fix…

LM

Hi Little Mac, Jaster

Once again thanks for all your support! I can imagine that helping out with these subtle, strange problems is not the most cheerful occupation.

I also got the impression that some very odd things are going on in my system here. I currently see three things to go on with: Turning everything (including Advanced settings) off in Comodo and then one by one reactivating them - if the problem went away in the meanwhile. Next reinstall Comodo. And if all this does not lead to a solution, install it on a second computer. What I really would hate is to reinstall Windows…

But not today. Friday evening. :■■■■
Nevertheless, I will let you know…

One more thing:

Jaster, maybe we can find some things our systems have in common!? Did you also have Agnitum outpost installed and uninstalled it before you installed Comodo?

Wish you all a nice weekend,
schlonz

This is unreal! What a coincidence. Sorry about this long mail, but I just have to describe the entire process.

YES, I did have Agnitum Outpost installed last time. And I removed it, and I installed Comodo, then found it too “laggy” and uninstalled then installed jetico, then uninstalled and installed Kerio Sunbelt, and after hearing all the great things about Comodo, thought I’d give it a proper try this time and made sure the logging is not slowing it down. So, I have tried quite a number of firewalls. Think I am going to stick with Comodo now.

The weirdest thing is that Windows security centre showed that I still have Agnitum Outpost when I did my last install of Comodo. OK from the top, when I still had Kerio, I believe I did take a look at the Windows security centre, and it shows i have kerio firewall and it is fine with it. After I uninstalled kerio, I noticed that Windows Security Centre (aka WSC for the rest of this post) says i have 2 firewalls! I checked Windows Firewall and it was on. I switched it off, and WSC still showed I have Agnitum Outpost on as firewall. Outpost was uninstalled a long time ago and many firewalls have been installed in its place although I can’t say that I did consciously take note of what was displayed in WSC. When I had Kerio installed, I am fairly certain that WSC displayed the kerio firewall correctly and it didn’t say I had 2 firewalls.

So, I installed Comodo, then checked WSC and it is still showing Agnitum Outpost as my one and only firewall. I uninstalled Comodo, and installed Agnitum again, hoping it was just a WSC glitch and another uninstall of Agnitum will remove the WSC glitch. So I uninstalled Agnitum again, but WSC still shows Agnitum as the one and only firewall. I tried to look for some tool to remove Agnitum completely, but can’t find any. I can’t find a complete guide to manually and completely remove Agnitum. I have removed the Agnitum directory within Program Files. If someone can point me to the right direction, I would be grateful. Anyways, I thought well, I don’t have the time to mess around with this, and since other firewalls were working fine the WSC detected them fine, I guess there might be no difference for Comodo as well. So, I just went ahead with the installation and here I am. And yes, the WSC is still showing Agnitum as the one and only firewall on my system.

Are you in the same situation?

Hi Jaster,

I had the same problem. Outpost was deinstalled but still WSC showed it. Not Comodo. Another user here in the forum (dooplex) posted helpful instructions which remedied this for me:

1. Start → Run → wbemtest.exe

2. In wbemtest click ‘Connect…’

3. Where it says ‘root\default’ overtype with:
   root\SecurityCenter
   click ‘Connect’

4. You see a lot of buttons, click ‘Query…’

5. Run the query:
   Select * From FirewallProduct

6. Double-click the entry and check things like the companyName to make sure the entry indeed describes Outpost.

7. If it is the right one click ‘Close’ and delete the entry by clicking ‘Delete’.

8 ) Reboot.

Alternatively you might want to look into the original thread which gives quite some other ways of getting rid of it:

https://forums.comodo.com/help/cpf_not_recognized_by_windows_resolved-t545.0.html

I am really starting to wonder what other unfriendly leftovers Outpost presented us…

Regards,
schlonz

Hi,

Back to the DNS problem. I found a solution but I am everything else than happy with it.

If I disable ‘Monitor DNS queries’ in ‘Advanced/Application Behavior Analysis’ my applications use svchost for DNS queries again and hence the dns cache gets populated. Fine.

Could have thought of this earlier. Although, the description in the help file is not easily leading to the right conclusion: ‘Monitor DNS Queries - Forces the firewall to monitor DNS requests so that viruses trying to use Windows system services for DNS queries will be detected.’
Whatever this really means…

BUT:
My setup is still the same as described above except this one change in the advanced settings.

Now Comodo does not give me a single hint whether a DNS query occures or not.
To make things even worse I set up the following application rule (the only one!) for svchost.exe:
Action: Ask
Protocol: TCP or UDP
Direction: In/Out
Destination IP: Any
Destination Port: Any
Nothing activated on the Miscellaneous tab

It does not fire on DNS requests. I made sure that I perform DNS queries not already in the cache!
If I do not have a single rule for svchost.exe and still only have one single block-all-log-all rule in the network monitor, still no Comodo windows popping up to inform me about outgoing traffic by svchost.exe.

I would expect Comodo to tell me that svchost.exe is trying to connect to the outside so I can create rules which allow it to connect to my DNS servers port 53 UDP only.

Does that mean I fixed the DNS cache problem by introducing a big hole in the FW?

I am starting to get desperate.

UPDATE:
I just deinstalled Comodo and reinstalled it in Automatic mode. The DNS behavior is exactly the same as before.

[edited posting: deleted some rants here. I had overlooked something.]

Regards,
schlonz

Schlonz,

Go to Security/Advanced/Miscellaneous, and uncheck the box “Do not show alerts for applications certified by Comodo.” You can keep your ‘ask’ rule for svchost.exe in place. Parent will probably need to be set to ‘Learn’ or ‘services.exe’.

Reboot. When you reboot, you should start seeing alerts for svchost.exe. The situation is that under normal circumstances, the Safelist is used; any applications on that cryptographically signed list do not generate alerts for normal activity. DNS queries are normal activity for svchost.exe; thus, no alerts.

By disabling the safelist, you’ll get alerts for that - and a whole lot more! So be ready…

Hope that helps,

LM

Hi Little Mac,

As mentioned above I have already disabled ‘Do not show any alerts for the applications certified by Comodo’ in Advanced/Miscellaneous. That is exactly what troubles me.

Regards,
schlonz

Sorry I missed that, schlonz. That is troubling. And you already reinstalled using Automatic, so we can rule that out as a potential source of trouble.

Have you filed a ticket with Support? http://support.comodo.com/

If not, I would suggest doing that. I’m not sure what is causing this issue, and I think it would be good if they had all the information at their disposal, to weigh in on the issue. When you file the ticket, please give them a link back to this thread/topic, so that they can see the steps/process you’ve been through. And keep us posted on their response.

LM