Monitor DNS queries option

When I looked at Summay > Application Monitor > Advanced > Application Behavior Analysis, there’s a box 2nd last from the bottom, called, “monitor DNS queries”.
It’s automatically checked.
I talked to my ISP people today and said for some reason my computer is not recognizing any DNY (something lol).
Just wondering if leaving this unchecked would help my torrent dl’s?
What does that option do exactly? Thanks… (V)

Hi kuba

Nealy all programs that use the Internet use a hostname (eg. comodo.com) rather than an IP number (eg. 216.126.201.152). In order to translate the name into an IP address, the program does a DNS lookup of the hostname to get the IP address (its known as resolving). It is useful to get CFW to monitor these, because it is normally the first indication that you get of a new application trying to use the Internet (without actually reaching where it wants to go).

DNY? Dynamic IP address maybe?

There’s a good very tutorial on eMule/uTorrent in the FAQ section (by pandlouk) here.

In addition to what kail already said, I’d like to note the following:
Since DNS traffic has to be allowed through firewalls in order to be able to perform the IP-address lookup needed when connecting to a site, some trojans and leaktests attempt to disguise their traffic as a DNS request. However by limiting access only to those DNS servers you need (often only those provided by your Internet Service Provider [=ISP]), this tactic can be effectively blocked.

Paul Wynant
Moscow, Russia

I dont think this option limits you to any particular DNS, how would it know what your DNS servers are?

AFAIK it just forces each application rule to include DNS ie UDP out. Once allowed, any DNS server could be contacted, unless you specify “UDP 53 (your DNS servers)” in the rule.

Of course not, but you can preset the ip-address of your DNS servers and other servers that are allowed in the Net Monitor rules. With these rules, even if I allow something by accident on the Application level, it will be blocked. It becomes even possible to disable the DNS monitoring feature.

I added the following rule to the COMODO Network Monitor rules:

  1. Allow and log UPD Out from NAME: paul (10.21.xx.xxx) to IP RANGE: xx.xxx.1.1 - xx.xxx.1.2 where source port is 1024-4999 and destination port is 53
    (DNS rule for my 2 ISP DNS servers only)

Okay well thanks to you guys for explaining this all, I’ll keep re-reading it till I understand it a bit better…lol
P2U, would I get my DNS via ipconfig /all, then apply the same rules?
Or is this strictly for servers that you’re running and controlling the flow of traffic to it?

Mine are in ipconfig/all (‘primary’ and ‘secondary’ DNS servers), because I have a static ip-address. If you have the same, then they should both be there. Otherwise, you will just have to either contact your ISP, or consult your COMODO logs (that is: if you log EVERYTHING, like I do)… The logs with Out UDP destination port 53 are the ones you should be looking for.

Paul Wynant
Moscow, Russia

Great idea. But if I understand how Comodo works, to pull this off you really need to do it like this:

  • Create an Allow rule like the above for each of your ISPs DNS servers (if not in a range like yours)
  • Below those rules create a rule to block and alert all UDP Out to any IP, port 53
  • Make sure these two rules are above your catch-all, Allow all TCP/UDP Out rule