Open a port

If you have a firewall or other middleware mangling your packets, you should try enabling DNSCrypt with TCP over port 443. This will make most firewalls think it's HTTPS traffic and leave it alone.

The program file is in my policies as a trusted app, and no issues with that. Just want to know if I want to be specific how I custom set this app to use port 443.

It’s already in program rules, should I change it there or put it in global rules? What are the differences between these two? I guess you set programs in program rules…

So, TCP in/out, or just one of them?
And what port is for 443, is it source or destination port, or both, or 444 for destination port…?

And what is the exclude option over there?

Not sure what app you’re talking about. But in general port 443 is used for HTTPS / SSL communication. Unless explicitely required: only outbound TCP is required to be established per app. Comodo don’t care, it has a statefull packet filter, ie., by app, by protocol by port (its either allowed explicitely or implicitely denied).

My browser, IE8, has the following rules:

Allow TCP out from in [local_0] to in [local_127] where source port is any destination port is in [843]
Allow TCP out from in [local_0] to in [local_127] where source port is any destination port is in [80 / 443]
Allow TCP out from in [local_0] to in [local_127] where source port is any destination port is in [5152]
Allow TCP out from in [NIC] to MAC any where source port is any destination port is in [HTTP ports]
Allow TCP out from in [NIC] to MAC any where source port is any destination port is in [Adobe RTMP]
Allow TCP out from in [NIC] to in [webcs.yahoo] where source port is any destination port is in [5050 / 843]

where local_0 and local_127 are locasl loopback, i.e., 0.0.0.0 and 127.0.0.1
HTTP ports = 80, 81, 443 & 8080
Adobe RTMP = 843, 1935
webcs.yahoo = Yahoo web-mail servers

These are the ‘mining truck’ wules that handle 99.9% of IE internet connection attempts. Alerts that invariably appear for IE will be because outbound TCP communication is attempted on some port other than those specified above. Ports other than specified are for special content delivered by web-sites and are approved ad hoc (but never remembered). Special content can be animation, music, Flash, Silverlight, et ali. Unless a URL is frequently visited requiring access to a particular port, why create a rule for it?

Most TCP will be on port 80, but when login or other secure info is transmitted, a connection will be made on port 443. Sometimes URLs are used exclusively for port 80, sometimes for port 443 (and someimtes the same URL will do both). I implement network zones heavily.

My naming convention is:
host name, e.g. webcs.yahoo
app name
port (if other than 80)

If I see a URL in a port 443 network zone already in a port 80 network zone for the same app, I merge the two URLs into a shared network zone for that app (specified with suffix 80/443). Then I create a rule using that shared zone and specify destination port 80 / 443. So that app will have one rule for port 80 only, one rule for 80 / 443 and one rule for 443 only (per network zone).

I use Whois to get the host name of the domain a URL resides in.

You may wonder how is UDP on port 53 handled? DNS resolution for IP address is done by UDP protocol on port 53. E.g., resolving webcs.yahoo to 67.195.186.64

I have ONE rule for ALL apps that does that:

Allow UDP out from in [NIC] to in [DNS] where source port is any destination port is in [53]

This rule is applied to the DNS file group, i.e., ANY app that ever requests UDP out on port 53.

The DNS network zone are the DNS servers for my ISP.

The name of the app is DNSCrypt, it’s a secure DNS server.
I’m sorry but I didn’t get the answer to my question.

You’ll need a rule for the DNSCrypt app TCP out to the URL of the secure DNS server destination port 443.

Global rules are interpreted at the system perimeter, i.e., they run interference on all inbound packets before either SYSTEM, WINDOWS OPERATIONG SYSTEM or any targeted apps see them. Global rules are the final arbiter of all outbound traffic.

I’m guessing the DNSCrypt app intercepts normal app DNS resolution to DNS servers via UDP to destination port 53, by wrapping said packets as TCP to destination port 443. As such, I believe the rule for DNSCrypt app would take the place of my single UDP out rule I described in my previous post.

How that plays nicely with your apps: I have no idea (D+ rules may come into play there).

The description about using port 443 TCP is not specific about the direction of the traffic.

If your computer needs to be open for incoming traffic at port 443 TCP you need to make a rule in Global Rules to allow for this traffic.