svchost.exe detecting 2 times same dns adress

Windows7 64bit
Start from clean installation - installing comodo firewall and run browser.
Few second later i have comunicate from firewall that svhost try to cumunicate with first and second dns serwer. I agree, comodo remember my answer and grant (udp) access to dns server.

Few week later (that mean today), i have another communicate that svhost try to communicate with dns first and second server (udp). Well wtf ??? in my list i have green light for it - why commodo ask me again ?

Is it normal, or bug in software ? :-\


Are you using Comodo DNS, your ISP DNS or some other third-party DNS

Open a command prompt and run ipconfig /all about halfway down you should see entries for the DNS servers. Do they match the svchost alerts?

Also, are you sure both sets of alerts were for UDP? DNS will use both UDP and TCP, for slightly different reasons.

Positive - 2 times same DNS(udp) prompt from comodo firewall …

And the ipconfig?

Do you have a router to which you can connect more than 1 PC? If yes, did the 2d alert have the same local address? It could simply be that for whichever reason, your PC adddress has become ***2 instead of ***1 hence the alert from the FW.

No changes in ipconfig, and yes i have a router - and yes i have 2 other machines connected.

And i got your point - but no !! source IP is the same as before.

When commodo firewall split alert - only one machine working in my network.

Something changed.

Do you have the logs from before and from today? Post screen shots of both and of your svchost rules.

One second my ip adress after clean install was - from 30.03.2011 i have 0 alerts about DNS.
Streange is that my IP adres change to (from 31.03.2011) and (from 10.04.2011). Only today i have this streange DNS alert !!

Nothing about svhost.exe and dns alerts in my log from 10 last days …

Your IP Address changing and DNS are two different things. You should look at your router settings, as that’s where your getting your IP addresses and DNS from.

As i say - i get DNS adress from my ISP
On my router i have static config with 2 DNS adresses.

??? i have no idea why CMD Firewall show me same DNS(udp) alert second time :-\

I know about IPchanging (after 48h) DHCP release it …

As you primary and secondary DNS are determined in your router, did the 2d alert still have your router as destination address?

Source adress was my local IP and destination was ISP DNS (i think) no sure right now :-\

I ask the question because some malwares change your DNS servers in your PC (which is prevalent on router for DNS). So, just to be sure you can check in the properties of Internet Protocol (TCP/IP) that Obtain DNS server address automatically is still checked.

Do you have Alert Frequency Level of the firewall set to High or Very High? Then the change of IP address could be an explanation for the fact that you are being asked again.

Can you write down the complete rule for svchost.exe as is it made in Application Rules including all ports and IP addresses.

Yes, i have very high level of alert !

DNS servers always come with two at a time. The primary and secondary DNS servers.

Having two DNS server IP addresses is to make sure that the DNS look ups are virtually uninterrupted. When one server cannot respond the other one will.

That’s why you will see two DNS servers in the svchost rule.

!ot! :wink:

Question is why comodo show me alert that first and second DNS (udp) try to comunicate with IP etc. I have already steup rule in my Network Security Policy.

EricJH has explained, you IP address change and you’re using high alerts.

Amazing looking at you rules. You really need to do some reading, as you seem not to have a clue what you blocking or allowing.

Try to read once again what EricJH wrote. We know well what for second DNS is, and what is going on when first fail. Also - i know why i see 2 DNS in my Network Security Policy - bicouse i put them there and make an exeption for them.

What you looking for - is not all - and it’s not a point of this post … i think you have bug in your software - that’s why comodo (again) show me alert (on same machine) that first and second DNS (udp) try to comunicate with same IP that is in Exeption List and marked green.

My IP adress change 3 times - only one time firewall show me (same udp) DNS alert.
Maybe we don’t understand eachother - I have already steup rule in my Network Security Policy…

In some cases when cfp.exe or cmdagent.exe crashes CIS may loose a number of rules. May be that is what happened when you got the alerts for the second time.

Can you check in Event Viewer whether around the time the second set of alerts occurred one of the two processes have crashed?