DNS rule, kerio 2.1.5 & Comodo

My question is why kerio 2.1.5 with my from BlitzenZeus's rules customized rules does not ask DNS rule for almost every separate application like Comodo does? With the very high alert level setting I mean.

Is it some XP service that cpf disables?

I include my kerio 2.1.5 rules to make it clear what I allow and what then allows that I really don't get asked. It is the my DNS_1,2 rules for svchost.exe that do the needed job. Those that are set to log, my dns_1,2 for any app will never match. If they matched, I could untick them and thus have separate DNS rules made for each app. But they never match.

I have disabled loopback rule since I want to have it tighter and make separate loopback rules for each app that need localhost address access, for anyone wondering where my loopback rule is.

So the question I made this thread for is how to have kerio 2.1.5 ask for UDP 53 dns server rule separate for each app that need it?

Jarmo

 

You have your DNS 1 & 2 rules for svchost.exe above all other DNS rules, so that would probably explain why you are not getting alerted on a per/application basis. Also, do you have DNS client service enabled? If so, that is another rreason you will not get alerted on your applications. Finally, you have your other two DNS rules allowed for "Any application", another reason you might not be getting alerts.

What you want to do if you require alerts on a per/app basis is disable the DNS client service and eliminate those top four DNS rules. You could then create the rules one-by-one as individual apps (browsers, email, antivirus update services, etc..) cause an alert every time they need DNS access, or simply set them up manually the first time. I assume you have two DNS rules because of Primary & Secondary DNS servers?

 

As told those any application rules won't get matched. I don't think those svchost.exe rules need to be removed, anyways they would be only a little below where I have some rules made for svchost.exe as an application.
But yes what you tell about disabling that dns client service that might do the trick
Yes I have made my dns rules to my primary and secondary isp dns servers. That is why they are censored.

Thanks for the prompt reply.

 

You are welcome. Hopefully it works for you, disabling the DNS client service that is.

 

Yes it worked.

One interesting observation. I can conclude that the first rule in above picture does not block kerio firewall engine to connecting to DNS servers when that DNS client is enabled! I noticed it cause the rule was actually set to alert but never did before until that service was disabled.

I stopped DNS client service and set it to Manual. Rebooted, was not really necessary, but wanted to be sure to test how it works.
Now those rules 'my dns_1,2 for any application' will log as they match, so I can untick or remove them and make rules for each application when prompted. It is quite a job though to do that.

So my next question to all you security experts is this. Will it make it very much tighter and safer if I do so?
Or if I allow again that DNS client service since my svchost.exe DNS rules allow only my ISP's DNS servers. And thus avoid all this added bother that does not maybe make so much more secure ruleset?
Your opinions if you may?

Jarmo

 

IMO, You are in pretty good shape restricting your dns connections to only those servers. Amongst your applications, pay particular attention to svchost, especially when it wants to connect on ports 80 and 443. Try to restrict those to Microsoft's Akamai update servers. The trouble is, they have so many of them that you could be creating new rules every time you check for updates. You could choose an alternative approach by going to their downloads site or perhaps using Autopatcher, except that Autopatcher releases its updates sometime after MS releases theirs.

BTW, I'm no expert. I just try to learn on the fly There are some members such as Stem, Paranoid2000, Blitzenzeus and Alphalutra, to name a few, who may see this thread and hopefully offer some opinions to it.

 

I have only time server udp 123 rule for svchost.exe allowed.
I block it outbound for tcp 80 and 443 for any IP. Yes I know there are many servers and lately there was also other servers than Akamai or MSN servers that microsoft has used for update hosting servers. So I have set those block rules to log and notice that my system tries MS update check or whatever MS thing every 5 hours.
I can enable those rules for every months second tuesday when MS sends update patches if wanting.
Of course all else incoming is also blocked for svchost.exe in my ruleset a bit below what is shown in the picture.

I actually enabled DNS client service back again, but I am waiting opinions if the ruleset would be really more secure by disabling it and making rules for every app.
As I wrote in my previous post, the DNS client service allows kerio firewall engine to connect to my isp dns servers which I found rather surprising since I have that block rule as first
With the service disabled the following rule alert I had set is fired:

 

That is how I prefer it. It takes a bit more time this way, but at least you can exercise better control over dns connections this way.

EDIT: okay, I see where you have the block rule for the Kerio engine above all other rules. I'm not sure then why the engine would be allowed dns access. I wonder if the Kerio engine is running as a process under one of your svchost services, thereby being allowed access when you have the DNS client service enabled? It is just a thought as to why it may be allowed access under those conditions.

 

When the DNS Client is enabled svchost.exe performs the DNS queries rather than the applications themselves, so the programs are not connecting directly to the DNS servers.
Comodo V2 monitors DNS requests, asking not only for svchost.exe but also for the program that originates the query. In V3 that option was moved to Defense+.
When the DNS Client is Disabled the programs perform the DNS queries by themselves. In that case there is actual traffic between the applications and the DNS servers.
Recursive DNS request can be used for data leaking but IMHO that is more theorical than practical.

 

No, PERSFW.exe is running under services.exe as seen by Process Explorer.
Actually when I go to edit the rule, the whole path is not shown and the Application field is grey. Also with above picture the slider does not go far enough in the alert window to see the whole path. But if I use 'to Clipboard' button and then paste to txt file, this is what is shown:
25/Jul/2007 00:51:00 Kerio Personal Firewall Engine (log) blocked; Out UDP; localhost:1284->xxx.xxx.x.xx:53; Owner: C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE

I am still not sure if I should follow that separate DNS rules strategy. Could there be some performance hit since the DNS rules are used so often and rules are not at the top?
At least for now I stay with DNS client service enabled but restricting access to only my ISP DNS servers. As I have done for a few years when running kerio 2.1.5.

I did not change any advanced settings from default ones if I remember, except alert level that and some baby settings so I get asked for all the apps and not let CPF allow "certified" ones.
I did not get any such parents like firefox.exe or thunderbird.exe for svchost.exe but instead those apps were prompted for DNS access directly themselves. So I rather really think as I already suspected in my first post that there was an XP service Comodo disables and propably it is this DNS client service.
Thanks for your answer that also clarified this subject.

 

The DNS monitoring is not related to parents/childs. When the DNS client is enabled the programs don't send packages to the DNS servers, svchost.exe does. However when DNS monitoring is enabled (default) Comodo V2 ask for permission for the programs too, but that is not actual "traffic". Comodo doesn't disable the DNS Client Service.

 

On most of the XP boxes I maintain that run Kerio, I disabled the DNS service and let the apps handle their own DNS. One less running service that isn't necessary in most cases. I usually put the IPs for the DNS servers in the trusted address group and use it to make one rule allowing DNS for apps. Helps keep the ruleset clean. Unless you have a specific need for an app to use a different DNS server, separate DNS rules for apps doesn't improve security since most of the time, they'll use the same DNS server. If you want to specifically block DNS for a particular app, just put a blocking rule for that app above the rule(s) permitting DNS.

The blocking rule at the top of your ruleset only prevents Kerio from resolving IPs on its status screen. That can be disabled on the status screen settings. I don't see how blocking Kerio would help from a security standpoint. If Kerio is set to resolve IPs and is blocked, it could slow down your connection. When you had the DNS service enabled, Kerio also used it, making the blocking rule ineffective.

You might want to deselect logging of permitted DNS. You'll get logs full of useless data. If you want to log DNS attempts to other IPs, put a blocking rule below the DNS permit rules and set it to log. On my own system, I don't have a blocking rule for DNS to other IPs. I'd rather see the prompt in real time so I can investigate it.
Rick

 

Thank you for this information about Comodo ggf31416, always wellcome to know how things work.

Rick, I might do that too, disabling the DNS client. I am against WWDC.exe and other automated utilities that might get some functionality of the Windows lost as a side effect of making things in a surface more secure. And also for disabling too much in a hope to make things use less resources. But this case is different and I might do that.

Trusted address group was also what I was thinking of using to make it simpler when going to that disable dns client service route.
In most of your comments you seemed not to take into account that the ruleset that is in the first post is for when DNS client is enabled and it is rather optimal in my opinion. But I comment anyways. Just how it works with it.

Yes, I still get the IP's resolved to domain names, and it seems useless. No harm done or slowing down. And I guess should be deleted or unticked if going that dns client service disabling route.

Aah, you mean those 'my dns_1,2 (log)' rules. They are just set to log since they never do as this is for the dns client service enabled ruleset. Of course if something "spams" log, it should be investigated and then action taken. That DNS Alert rule is also for the original service setup. It DOES alert for the netphone program and that is why the 2 rules above it are made, no idea why I set them to log since i dont run the program currently. Above ruleset was made quite a long time ago when I last time used kerio 2.1.5. And they are only rule names written as they would log. This got carried away from the main subject too much though, but had to answer your keen eyed criticism, lol.

I agree though that the final DNS block rule is not really more safe than deleting it. It is from BZ original ruleset and with it you will get an alert window notification and with it deleted or unticked you will get a permission prompt popup. I have found that alert to be very rare if ever. All my DNS resolution is done using my ISP's dns servers and nothing else.

I was thinking if I go to your route of disabling DNS client service to put specific application DNS rule same place as other rules for that application, meaning quite below the top of ruleset, below the system protection rules. If you read this reply Rick, how are your app DNS rules spread? Like so or all dns rules together near the top of ruleset for the efficiency?

Jarmo

 

IMO, the windows DNS client service is not only unnecessary for most users, it's also a target for malicious code. Vulnerabilities have been found in it before, some of them critical. http://www.microsoft.com/technet/security/Bulletin/MS06-041.mspx
If an attacker can successfully compromise the DNS client service, all internet apps and system components are affected. IMO, lettings apps handle their own DNS is the more secure option.

I keep the DNS rules together whenever possible. On most systems I maintain, I use 2 DNS rules near the top of the ruleset.
1, A permit rule for port 53 for any app, using the trusted address group.
2, A blocking rule for port 53 for all apps and IPs. Depending on who I'm setting it up for, the second rule will log and/or alert.
If there's apps installed that need a different setup for DNS or just needed to be blocked from using DNS, I'd put those rules above the main DNS rules and make them specific to that application, with its own permit and block rules. Unless you specifically need different DNS settings for some application, there's no advantage to making separate rules.

A separate DNS blocking rule is only necessary if you've set Kerio on the "Ask Me First" setting and don't want to be prompted about DNS to other IPs. If you're using the "Deny Unknown" setting, separate blocking rules are redundant. On my own PC, I use the "Ask Me First" setting and use blocking rules for functions like DNS and for apps that don't need address specific rules.

If there is any performance hit, it's very little, a fraction of a second. The amount of time it takes for a DNS server to respond to a DNS request is much longer in comparison. I opted to use the trusted address group for the DNS IPs as I use both Open DNS and the ones provided by my ISP, depending on what configuration I'm using.

My DNS rules are in the top section of the ruleset, but not at the very top. The very top of my ruleset is blocking rules for system components and apps that I don't want to have any internet access, and a few permit rules for those specialty tools that need unrestricted access to function properly. My DNS and ICMP rules are below those. BZs ruleset contains a lot of rules that don't apply to my setup, including DHCP, Windows service, network rules, etc. Mine contains blocking rules that could cause problems for a different version of Windows. Comparing the rules we have in common, there's little if any difference in the individual rules.

The only other difference is the loopback rules. Mine are application specific and are grouped with the other application specific rules. BZs ruleset uses a global loopback rule because it has to in order to be a universal replacement ruleset. It's not possible for them to be any more specific without specifying individual applications.
Rick

 

Thank you Rick for a clear reply.

My original goal when starting this thread was to get kerio 2.1.5 to ask for every application that needs UDP 53 DNS rule.
To make kerio perhaps as tight as can be possible outbound with packet filter rules and concerning those leaktests though I don't really care so much about them.
And now I know how.
I can also now search Google to get more information about windows DNS client service.

I understood that you have a "global" rule, something like those 'my dns_1,2 (log) for any app', without logging of course.

I also don't have an "any application" loopback rule anymore.
The reason is that one can run local proxy(s) and it could be benevolent like Avast's browser and email shields, or it could as well be some malware that then lets programs out from your computer to internet without you getting asked, using that 'Standard Loopback' rule.
The port that the local proxy uses can of course be excluded from the Standard Loopback rule, but only if the program is known to be a local proxy and this is not a case with malware.
So I make application specific localhost address rules same as you.

I still have DNS client service enabled and search for more information about the subject.
I need more information to be convinced that it is much more tight and secure to disable it. Especially if still having a 'global Any Application' UDP 53 rule instead of making them application specific that would add some for outbound leaks for that traffic. Still too lazy to bother, hehe.