Some very strange DNS behaviour 3.0.14

I’m wondering if I’m missing something here!

Ok, I have always had the DNS Client Service disabled, this goes back years. I like to create specific DNS rules for each application that has NET access to my ISP’s DNS severs only. I like the control :-X

With 3.0.13, I had no specific issues operating this way, everything worked as it should. Enter 3.0.14!

Let me begin by describing my other firewall rules.:

Svchost.exe is allowed to do DHCP only. Everything else is set to ASK (it doesn’t, it’s broken, was under 3.0.13 too)
System is allowed access to the LAN only. Everything else is blocked.
Windows Operating System (formally SIP) blocks without logging on inbound HTTP ports and blocks everything else.

These are the top three rules in Network Security Policy, or at least they were until 3.0.14.

Remember, I have each application set to do it’s own DNS, without recourse to the DNS Client Service. Worked well under 3.0.13 and 2x before that.

Today, I find that one of my applications can’t do DNS. so I delete all the D+ rules and start again, I run in paranoid mode :slight_smile: Still no joy. I check the settings of another of my applications that still works (fx Minefield a non safe application) and see that the D+ setting for using The DNS Client service is set to block, I remember now the pop-up I got when this was set. I decide to make the same changes to XNews, the application that couldn’t do DNS. Still no joy.

I started looking at my firewall rules expecting some silly problem, still the same as always. After a while I decide to reorder the firewall rules and move the rule for XNews to the second position, behind Svchost, but above System and WOS. Amazing! It works and yet firefox is still below System and WOS and it still works too!

This is obviously something to do with the differences between safe and non safe applications, but it seems strange to me.

Hi,
I’ve been with CFP since 1 version until RC1, and now I’m seeing something “weird” happening with v3.0.14.276.

After upgrading from v3.0.14.273 to v3.0.14.276 Azureus is refusing to work. I’m using the same config (saved/exported/imported) that I was with the old version, but… when I start Azureus nothing happens on my desktop (AZ don’t come up). Looking at Task Manager I can see AZ running, but nothing is shown on desktop or systray, and there is not a single connection… weird…

As Toggie, I have DNS Client disabled for a long time, and never had any problem with this.

Playing with some configurations, I could see that something linked with DNS or loopback was blocking AZ. I wasn’t able to discover what was blocking, but after uninstall/re-install twice and after playing a lot with some configs AZ is now loaded and it is shown on the desktop, but can’t connect to anyone (tracker or peers). Firewall configuration allows AZ (I’m using the same config that I was using before, when I didn’t have any problem). AZ error-message shows: “Error: socket Selector.open () failed “n” times in a row, aborting. Azureus / Java is like being Firewalled.”
But, as I said before, AZ is full allowed… And was working well before…
All my rules for blocking are with the log option, and there is any blocked connections shown on log page. And, if I config CFP to let AZ “ask” for connections, nothing happens (no one pop-up come to allow or deny connections).

Besides minor problems (not operational) CFP always did a good job, but now something unexpected is happening.

Any workaround? What do am I missing?

Hi AeoniAn.

I’m still not sure what’s going on with this. 276 is again different from 273, in that in now supports Loopback Networking, directly in the firewall.

There is some sort of weird hierarchical thing going on in Network Security Policy, but, quite how it works…

For now, try reordering the firewall rules, see if it makes a difference.

BTW, at first I did import my rules from 273 but found some problems, so I’m now going through it again…

Toggie, thanks for the reply.
Creating a new configuration is a hard work for me. I have many IP’s listed in my “Blocked Zone”, ports groups sets, and other configurations that makes my “config file” up to 1.5MB. Typing all that data, one by one, is a long and boring work. Is there a way to import partial rules? (like “Blocked IP’s”) Is there a way to open the configuration file saved in another app (like Notepad++), so I can copy and paste the addresses to the new rule being created? Is there a way to export the rules to a txt file?
I’ve tryed to reorder some rules without success, unfortunatelly.
I really don’t know what happened, uTorrent, Firefox is still working fine, but AZ not. Maybe some java is not playing well with the new .276 version, I don’t know… And WinAmp is taking a long time to be fully loaded. That’s all that I’ve noticed until now.
The log page (for D+ and FW) should show “wich is blocking by which” to make our work a little more easier…
When I have some time I will try a new fresh install without importing the rules, maybe tomorrow. But for now, after more than 5 hours trying, I’m temporary back to .273.
Again, thank you!

What DNS client really does (Black Viper/ Vista):
“The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached and the computer’s name will not be registered. If the service is disabled, any services that explicitly depend on it will fail to start.” So turning it back on does nothing to prevent you from using whatever DNS servers you choose. But some programs may try to use the cache instead of a new DNS call, and this can cause problems. I have a zone called DNS, and do DNS by allow/ip/any/DNS/any/53 . The only other thing you need to do is to remember to tell you NIC about it. :wink:

Hi sded, as I said earlier, it’s about control. Disabling the DNS Client Service prevents Svchost.exe from performing DNS Queries on behalf of Applications. I like each application to do it’s own queries against specific DNS servers.

I quite often see entries in my logs where a DNS query is blocked because it’s sent to a DNS server that is not owned by my ISP and is, therefore, IMHO, suspicious.

Also from Black Viper:

This service is not required for DNS lookups, but if it makes you happy to have it running, you may. If you attempt to "repair" your network connection and a dialog box complains that the "DNS resolver failed to flush the cache," this service is the reason. It is also needed if using IPSEC.

I don’t have a requirement for IPSEC, so that too is disabled. To be honest, the DNS Client Service is only requited if one is connected to an Active Directory Domain, or if one uses IPSEC for VPN.

Maybe XP and Vista are different. I have DNS client on, and all of my applications set to do direct queries only against specific DNS servers, with a block and log all if there is a problem. And the DNS addresses in the NIC. I can see the proper UDPs go out if I have logging on. I have never seen a DNS query to another server-the main function Vista gets out of the DNS client is the DNS caching. There has been at least one Comodo problem found due to the DNS client being off, and suspicions that there may other services required besids Terminal Services, since we don’t have a required services list. So I am trying to understand what users think they are getting by turning DNS client off, as well as turning off some of the other services. If you look at Black Viper for Vista, for example, DNS Client is recommended as an “automatic” across the board, OK to disable for Power User/Bare Bones, but not for “SAFE”. Yet lots of users turn it off.

DNS Client is recommended as an "automatic" across the board, OK to disable for Power User/Bare Bones, but not for "SAFE". Yet lots of users turn it off.

They are the same setting as those for XP.

There are of course known exploits against the cache, such as DNS Cache Poisoning, something that is avoided if the Cache is disabled.

There is also the problem with negative caching, I appreciate it can be turned off, but ‘normal’ users won’t know anything about that.

AFAIK, not all applications use the DNS cache… firefox, for instance has it’s own DNS cache

Most users using Host Files do turn off dns client. It is recommended to do so if using XP, as it is reported to slow computer down. ME or 98 is said not to be affected.

It does not seem to slow down Vista. I use the MVS host file, which is fairly lengthy, and don’t notice any diference. So far DNS Client issues have been “if you turn it off, don’t do this” type. But always interested when a DNS problem comes up to see if turning it back on again has any impact.

Yes i tried it both ways on my XP machine. I really could’nt perceive a difference.

a proud user of Comodo Version 2.4

The alleged performance gains received by disabling the service have always been dubious at best.

Anyway, I am rebuilding my rules manually, I’m also using D+ in Train With Safe Mode, for the time being. I’ll have to see if I can recreate the problem in the OP.

@AeoniAn

Yo may have to enable loopback for AZ. It’s a new feature in 276. They have created a loopback Zone 127.0.0.1 - 255.0.0.0 and in the Firewall\Firewall Behavious settings\Alert settings there is a check box for capturing alerts.

Check these options.

Hi,

I did create a “Global Rule” allowing loopback (just to be sure that it is allowed). I also have a rule for loopback in AZ rules. My “Enable Alerts For Loopback Requests” are ticked.
All my blocking rules are with the “Log Box” ticked.
But nothing happens! Not a single pop-up come nor any log for “wrong” blocked connections is created.
AZ is still taking about 3-5 minutes to open the main page. And it shows those same errors. Weird…
FF, TB, uT, IE, Google Earth, MSI Live Monitor are working good and pretty well.
Issues only with AZ and Winamp wich now starts after a long time - “Main Panel” comes quickly but “Playlist Editor” is taking about 2 minutes, after the main panel. (I didn’t use any connections with Winamp, but I did created rules for loopback and for http ports like a web-browser).
I did left D+ on “Disabled” for testing, but nothing. The same with full disabling D+ and re-starting. The problem is something with the firewall.
My last test was creating a global rule allowing everything, and a rule allowing everything for AZ. All with the “Log” ticked. Nothing useful, again. Only the normal connections was logged, all of them was the same as before. AZ connect to Azureus Network at 81.19.18.34 but not to any peer or any peer to it. And that same error message pops up.
This was a fresh install of v3.0.14.276. I did uninstall the 273 in safe mode, clean the registry, checked for “lost” files and everything else before this install. Tests with PCFlank, GRC (both leak and port-scan) are “passed”. All other app are working good. The v3 IS working fine for me, but something is weird with AZ and Winamp.

WinXP-SP2 32bits full updated, services disabled (security reason, NOT useful for me, less resources): DNSCache, TermServices, ShellHWDetection, UPNPHost, Net.TCP Port Sharing, RemoteRegistry, RemoteAccess, BITS, WUAUServ, WSCSvc, LanManWorkstation, SharedAccess(Win FW) and others less important.
MB MSI-7145 with Sempron 3000+ and 512MB RAM.
Running: PG2 Beta-6C, ATI Catalyst v2007.01313.2139.36813; NOD32 v2.70.39; Diskeeper v2007-11.0.706.0.
Azureus v 3.0.4.0, without: DHT, PEX. (only TCP connections for sharing. UDP only for DNS)

This same configuration was good up to v273, and was good before using CFP. So… I have to guess what is happening…

Best Regards, and thank you for the replies!

I don’t believe it’s a service issue, so I think we can leave those as is. My next suggestion is a bit radical :slight_smile:

Re-enable D+ and delete any rules you have for AZ in CSP. Also make sure there no files in pending, quarantined or safe for AZ.

Next, do the same thing in NSP, remove any rules you may have for AZ.

Put D+ into Paranoid Mode and Firewall into Custom Policy Mode.

Clear your logs. (you probably going to get a few alerts :slight_smile: )

Make sure you have no global block rules in Application rules and Global rules.

Run AZ follow the alerts.

Lets start there and see what happens.

I just did exactly everything you said before I wrote my last post…
I was going to edit it to say that AZ connect to the tracker and scrapes ok, but not with the peers, and that error message continues… (“Error: socket Selector.open () failed 10 times in a row, aborting. Azureus / Java is like being Firewalled.”)

I was thinking… I didn’t got any pop-up for any java executable… (D+ and FW). Well, this was the same with v273 and was working good…

What else can I do? (But please, excuse me, I’ll do it only tonight… now I’m 22h without sleep, and I’m tired…)

I hope I can help someone else with all of this…

See you! Soon.

Jave is probably a trusted app, but I imagine AZ is too, Are there any entries for java in D+ or the firewall?

Hi, Toggie:

First of all: I’m so much thankful for your help!

After playing a lot with the rules, I’ve decided to go for a total new configuration. Today is sunday, and I had some time to rebuild that, after some rest on saturday.

That was a happy decision. Now everything is working fine, again. :smiley:

Just to be clear: THERE’S NOTHING WRONG WITH CFP v3.0.14.276. My problem was some misconfiguration that I’ve made by myself. Was ok with 273, but 276 didn’t accept that. VERY GOOD BEHAVIOR of 276. I’ve to say this. Since RC1, CFP is a very, very trustful firewall.

About Java: everything is OK. There’s no one problem related with. Java is transparent here, there’s no one entry for it at my configuration. I did a fresh new install, and as soon as possible I’ve changed the default configuration to “CPM” and “PM”, without the “Trust the applications digitally signed by Trusted…”. Java is working without any problem, and is transparent (at least until now, requested by AZ only).

I wish you have a VERY, VERY HAPPY NEW YEAR ! :■■■■

Just to be clear, again: every time something doesn’t work well, just be very careful with the configuration! CFP is a very, very good firewall. I couldn’t find anything that bypass CFP. The problems that I’ve had until today was, ALL OF THEM, caused by myself. I’m very curious, and I have some “paranoid” thing in my mind about security… I used to let my configurations the safest as possible, and sometimes I do a mess, on my own PC. (That’s b/c I do take care of others. Test on myself, and then do it on the others…) 16 PC’s with CFP until now. ALL OF THEM LOOKING VERY, VERY GOOD. (most of them are from old person whom I help teaching about “sending email” and using “internet”)
Sorry for my poor Brazilian English.

(S) (B)

edit: emphasis.

The problem seems to be related to the loopback… it comes again, after 2 days…
I don´t know why, but loopback allow rule seems to be lazy… see this screen shot of the logs… it’s weird…

loopback was blocked… and then allowed… (my config was set to ALLOW loopback connections, from 0.0.0.0.0 to 127.0.0.1 at any port) I didn´t did any change on the configs meanwhile.


http://img171.imageshack.us/img171/8599/logscfp1sw9.th.jpg

Only time tells what is right and what needs some work…