I’ve created a network zone with the beautiful name of “Safe computers”. In this zone, I’ve included several IP addresses and a dynamic host (SomeName.no-ip.org).
The question is how often does CIS refreshes the hosts entered in the firewall policies?
The IP address of the computer behind the dynamic host changes often and when it does, Comodo will block it for several hours (I don’t know exactly how long) because it didn’t re-resolve the domain name yet…
Is there a solution to this problem?
I am not familiar with this type of set up. You can define a Network zone by MAC address instead of IP addresses. That may do the trick for you.
The ‘dynamic hosted’ computer is behind a gateaway so I can’t use MAC filtering…
I use a Dynamic DNS too. This is my configuration.
Your Dynamic IP sofware will contact its server at a regular interval to update your IP: This is an outbound connection only. It needs outbound rules in the Network Security Policy on the Host for the Dynamic IP Sofware.
Global rules best serve the purpose of Inbound connections. The only global rule I have is inbound connection on port 80 at destination to the MAC address of the host. The top-down rule is a Deny IN/OUT IP all.
The router will forward any inbound connection on port 80 to the host MAC address. The Dynamic IP software will update the server every n’ minutes with your IP Change and adjust your DDNS.
Is it of any help?
Thank you for your reply but the problem is that I want to connect from this dynamic hosted computer to another one (using remote desktop), since I don’t want to rely on Microsoft, on the computer I want to connect to, I set Comodo to only allow incoming connections from a certain set of IPs and hosts and one of these host does not resolve to a static IP. So when its IP changes Comodo will no longer recognize it.
So the question is how often does CIS updates the host’s IPs in its firewall policies?
Try defining the dynamic host by it’s NIC’s MAC address rather than by IP.
Should work out for your situation. I hope.
Later
As I said the computer with a dynamic host is on the internet (not on a LAN) and so access other computers through a gateway given by the ISP at each IP change… So the MAC address seen is the one from the gateway…
Then you would need to allow an IP range, if you can figure out the possible ranges available from “there”,
and narrow it further to specific ports and protocols?
If I get your earlier question the Firewall will never change the IP by itself for a rule.
Unless the rule was defined by a resolvable host name, that gets around the IP dilemma.
Later
If I understand the original question, a remote system has a dynamic address, and is accessible by a DNS lookup, so wyou want to have a rule that does something like this:
allow IP In from remotehost.example.com to me
or
allow TCP In from www.google.com to any where source port is 80 and destination port is any
As a hostname, the question becomes: how often, if at all, does CIS update the IP address in the firewall rules to allow that example to work.
I don’t know the answer to that. But, yes, you should be able to use a host name in place of the IP address. I suspect that the time is related to the DNS timeout values (called TTL - time to live, as part of the DNS records). Any time limit shorter than the DNS TTL would cause problems, and probably a lot of DNS lookups.
Yes exactly, I have a rule like:
‘allow IP In from remotehost.example.com to me’
It works great until the IP of this host is reset while I’m using it to access to my main computer (which has the above rule)… I never figured out when Comodo updated the ip associated to the host.
Is there a way to check the TTL of a host DNS record?
Then you would need to allow an IP range, if you can figure out the possible ranges available from "there", and narrow it further to specific ports and protocols?If I get your earlier question the Firewall will never change the IP by itself for a rule.
Unless the rule was defined by a resolvable host name, that gets around the IP dilemma.
It’s an IP given by Orange (one of the biggest ISP in France) so setting a range will probably allow the whole town to access my computer 
Is there a way to check the TTL of a host DNS record?Yes, there is in the ix/BSD environment, where the tool is called "dig", or "host -v". In the Windows environment, I can't think of a standard tool that will show the near-raw DNS records.
It works great until the IP of this host is reset while I'm using it to access to my main computer (which has the above rule)... I never figured out when Comodo updated the ip associated to the host.
That’s a hazard of having a dynamic address and a DNS cache. If the remote system has a DNS TTL for, say, 1-hour and then by luck of the draw changes it’s IP address 45 minutes in, anybody who has that old IP address in their lookup cache won’t be able to connect for that remaining 15 minutes. That’s the way DNS caching works.
To force a lookup, you need to flush the DNS cache on your machine so that current-as-of-now information gets loaded and used. In the Windows environment, at a command prompt, you run “ipconfig /flushdns”. I would presume that CIS is using the Windows DNS cache, rather than trying to maintain one internally.
Thanks grue155,
If your machine is XP, then you can disable the DNS Server Service in Windows so it doesn’t cache.
This will cause a fresh DNS request each time it has to resolve a host name. IIRC
I’ve done this before for other reasons, the performance impact was negligible.
Later
Good point, but it reminds me that the upstream DNS servers are also caching servers. The only DNS server that would know immediately of an IP address change, is the parent host. All updates propagate outward from that parent host at the TTL speed.
Phrasing that a little differently, so it’s a bit more understandable. Consider an example.
Let’s assume my dayjob has a web server that is supposed to be Internet accessible. Being a poorly funded, the dayjob has only a dynamic connection. So there is a changing IP address associated with www.dayjob.example.com. When the phone line gets a hiccup, the IP address changes, and the ISP the dayjob connects thru updates their nameserver (they are the “authorative” source for the IP address), to say to the anyone in the world what the proper IP address is as of right now.
Now you, as customer, like the stuff on www.dayjob.example.com. While browsing the web site, suddenly it goes poof and is unreachable. That was the dayjob phone line hiccup. So you flush your DNS cache on your machine, or turn the cache off. Great! Ah… but I can’t get to the web site. That’s because my DNS query is going to my ISP DNS servers, which are also caching servers (any DNS server that is not authorative for a given domain, is a caching DNS server. That’s how it works.)
But to find out what the IP address is right now, as I just don’t want to wait for the TTL cache to time out, I can query the authorative server directly. That’s a manual operation, using the Windows available tool “nslookup”. First you have to find out what the authorative server is, and then you have to query that server directly. By the time you get thru all that, the TTL has probably timed out, and things just work again.
Short summary, there is a window when dynamic address changes that the host won’t be accessible by name. The duration of that window is likely half the TTL on average, and the full TTL at worst.
100% correct gru155,
So where does that leave this for the OP question.
Nothing can be done locally to overcome this but to.
Run home and query Authoritative DNS server. :-TD
Allow a huge IP range. :-TD
Just wait it out.?
Hmmmm?
Couldn’t this be gotten around by using a tool like EVPN or Team Viewer.
Use a VPN to connect to home.
Later
Wait it out is the straightforward, if inconvenient, solution.
A VPN, or VPN-like, solution has the same problem. What’s the IP address for the connection?
A compromise, is allowing a wide IP range in the CIS rules, and having a VPN with very tight authentication rules, like using a crypto certificate rather than guess-able (even brute force testing) passwords. The CIS rules would restrict where any attack/probe could come from, and the tight authentication would make any such attack a computationally expensive thing to do.
Thank you for all this information 
I think that dynamic host providers such as no-ip.org or dyndns.org set shorts TTL for their records.
The question is does Comodo respects those TTL or does it use some hard coded delay?
I personally think it’s the later because I remember being unable to reach my main computer for more than 8 hours after an IP change… maybe Comodo resolves hosts every 12 or 24 hours, I don’t know since I usually stay less than 24hours at the remote location.
Looking at a dyndns.org hostname, it looks like dyndns.org is using a 60 second TTL. I would expect that no-ip.org to be using something similar, probably no more than 300 seconds.
In which case, it would seem that CIS is making a query once, and then considering the result as a permanent IP assignment. Which is definitely not the case.
I’d say that you have found a bug in CIS.
Do I have to make a bug report then?
I’ve just posted a new topic in the bug forum since I’m once again locked out of my main computer…