I’ve granted svchost.exe access to download.windowsupdate.com by specifying this host name. Later and in spite of this, I was asked whether to allow svchost access to a certain IP. Using nslookup, the IP resolves to download.windowsupdate.com. I was wondering why I’m being asked because there is already a matching rule. Why is it?
Is it because the DNS is dynamic? This means, at one point in time, download.windowsupdate.com is resolved to 184.108.40.206, 220.127.116.11, 18.104.22.168 (alias host name is y.fg.download.windowsupdate.com.c.footprint.net), and at a later point in time, download.windowsupdate.com is resolved to 22.214.171.124, 126.96.36.199 (alias name a767.dspw65.akamai.net).
So, does the FW store the 8.* IPs internally? Later, they do not match the 2.* IPs, and, consequently, the rule doesn’t match? How can we solve this issue?
Comodo takes the lowest IPv4 address and highest IPv4 address that a host name resolves to and uses that range to base the rule on. For example if I created a block rule for yahoo.com the registry entry where the rule is saved looks like this: AddrStart 188.8.131.52 AddrEnd 184.108.40.206 if we do a DNS lookup of yahoo.com you get this:
so every IPv4 address within 220.127.116.11 - 18.104.22.168 will be blocked even if it doesn't belong to yahoo.com and if yahoo.com ever resolves to an IP address outside that range then it will be allowed. Using a rule based on a host name is generally not a good idea.
Thanks futuretech for this helpful piece of information. Sorry, I wasn’t able to find it before.
Yes, using a host name is not a good idea. However, specifiying IP addresses is not possible in this case. (svchost is a beast anyway…)
Thanks, this cleared things up