Just a quick question - sorry if this has been answered elsewhere but after doing a couple of searches I could not find a answer to this.
This is not a big deal and everything appears to work correctly - I’m just curious as to what this log entry means.
When checking through my firewall logs I came across muliple entries from one of my DNS servers, they started last night and popped up approx every half an hour since. Going back over a week in the logs shows no other similar entries - just seemed to start out of nowhere last night.
The entries all look like this…
Windows Operating System - Block - ICMP - [one of my DNS servers] - Type(3) - [My internal IP] - Code(3) - Date/Time
My question is should I be allowing this traffic as it comes from one of my ISP’s DNS servers or should I just continue to block it?
I have a rule to allow ICMP from my DNS servers. I trust them. The message you are blocking tells Windows that one of your DNS servers port 53 is down; knowing that should speed up selecting the next one on your list. Practically, if you block them and there is no response it should time out and try the next one anyway.
Thanks for the quick reply, I’ll add this as a global allow then - I thought my browsing seemed a little slower than normal.
You should also put the same rule under Windows Operating System in the Application Rules.
That would be the entry simply marked as “Sytem” under Application rules I take it? At present the rule for System is “IP out from IP any to IP any” - I should add the ICMP in from [DNS Servers] to [MY IP] in here?
It looks like Windows Operating System is superset of System. I went to the running process list and made a set of rules for it based on what was already in “system” plus the DNS rule, a few others. I was getting some block messages when I used just “system”.
Just putting a rule in for System seemed to do the trick for me - I no longer get the log entries for ICMP from my DNS servers so I think I’ll just leave it set up like that for now…If I have any more problems then maybe I’ll try using your method for Windows Operating System.
Thanks for the help, glad I now know what was going on.
Found that some things were blocked by system, even though allowed by Windows Operating System. Looks like they require separate rules anyway.
Something I tripped over, is that Windows will very quickly close sockets after getting an answer. Using DNS as an example, an application does a DNS query, and the DNS server answers. Typical protocol implementation is to send three copies, to increase the probability that at least one will get thru. UDP is called an “unreliable” protocol as there is no error checking to make sure any packet will ever reach its destination. Since packets are on a wire, like a single track railway, they have to line up one after the other. Windows is holding open a socket looking for an answer to be coming back from the DNS server. Windows will take the first packet that comes in as the answer, and will close the socket. The following copy packets no longer have a socket waiting on them, and so get refused. Windows sends back an ICMP “port unreachable” to the DNS server. Depending on your CFP rules, you can get a lot of log messages about DNS and ICMP traffic, inbound or outbound.