I just made an unusual/surprising discovery. Maybe others already knew this, but I didn't. I have Norton DNS configured as primary and alternate servers, then Comodo DNS set as 3rd and 4th. I did some testing and found a couple sites that I know Comodo blocks, but Norton doesn't. (wxx.sibnet.ru & wxx.nafaa.org) When I click on either link, even with Norton set as primary and alternate, Comodo blocks the site. I didn't know that would happen. I thought I would be able to access the site if Norton doesn't block it and Norton is set as primary and alternate servers. (To make sure Norton doesn't block either of those sites, I removed Comodo DNS service and just left Norton DNS as my only service. I was able to connect to those sites.) PS- In order to find sites that Comodo is blocking, I visited the Comodo forum thread, Report Blocked Sites You Believe Are Safe Here . (Some have been fixed, and some are still being blocked, so you have to try several to find a "bad" site.) Edit in: My conclusion has to be that if you have two DNS servers configured, both will be checking sites. What else can I conclude from this test? Am I misunderstanding?
Might have something to do with the native Windows DNS cache. Try cleaning DNS cache and disabling DNS Client: - click Start > click Run > type cmd and press enter > type ipconfig /flushdns and press enter > type net stop dnscache and press enter Now repeat the tests and post the results (with DNS cache disabled!).
Posting results... I cleaned the DNS cache and disabled DNS Client and the "issue" went away. I recently (a few weeks ago) ran my computers for awhile with DNS Client disabled when I was running large hosts files, but started the Client again once I disabled hosts file. As far as I know, DNS Client should be allowed to run. Do you agree? I'm thinking that periodic DNS flushing might be a good thing. I've noticed lately that from time to time, when checking the Norton DNS test page, that it said I wasn't running it, though it was configured as primary and alternate. I wonder if Comodo was taking over, somehow due to DNS cache? Edit in: By the way, in case anyone wishes to comment on this... when I flushed cache (typed ipconfig /flushdns and pressed enter) on one machine, it took about 5 seconds, tops, before it said "Successfully flushed the DNS resolver cache". But when I did the same on a 2nd machine, it took at least 3 minutes before all the DNS cache was flushed. Does that mean there was so much more cache to be flushed, like a ton of it? What are the ramifications, if any, of NOT flushing DNS cache?
As I suspected. Same experience. I agree that the DNS Client should be allowed to run, although I'm relying entirely on advise from reputable experts. I didn't benchmark myself the performance impacts. What happened was that, for some domains you visited recently, the Windows DNS cache was made while you were using Comodo DNS. The Windows DNS service doesn't automatically clean its cache as often as you may like. After flushing it, you will eventually get your Windows DNS cache reconstructed with the lookups using the actually set preferred DNS server(s). Found a nice and simple explanation. "You must flush (clear) the DNS cache whenever you want to get a domain name to be resolved again. DNS cache ensures that the domain name is resolved fast, so that you don’t have to wait for it. However, sometimes DNS cache may cause some problems like page not loading and 404 errors. This may happen because the web server that hosts a particular web page changed its IP address, but the DNS cache still tries to get the page from the older IP. Also if you register a new domain, you must flush DNS cache so that it is resolved properly on your computer."
FWIW, here's a guy who comes right out and says if you disable the DNS Client, you won't be able to browse the web. I know that is wrong. Excerpted from here --> http://www.techrepublic.com/blog/10things/10-windows-xp-services-you-should-never-disable/960
Yes, that's totally wrong. Anyways, before disabling the Windows DNS cache, one have to be somewhat sure that the set DNS servers (or the ISP's DNS servers) are reasonably fast and reliable (to minimize the negative performance impact).
If I were face to face with that person, and with a leaky diaper on my hand, I'd rub it on his face until he learnt the lesson. Regarding the DNS cache thing... And, I'll be using what was mentioned here, because I'm not pretending to know everything... Scenario: Website A access is being redirected to a fake page, with the same domain name. Resuming: Same domain name, different server/IP. DNS cache will cache it, correct? It may be happen, judging by what user guest posted, as a quote, that the web server that hosts a particular web page changed its IP address, but the DNS cache still tries to get the page from the older IP. In this case, the server didn't change IP... the traffic was directed to the attacker's server, due to DNS hack. But, I suppose it's the same deal. The IP "changed". Even if the situation comes to normality, due to DNS caching the user may still visit the bogus server, though real domain name correct? If so... would something [url="http://nakedsecurity.sophos.com/2011/09/04/dns-hack-hits-popular-websites-telegraph-register-ups-etc/]like[/url] this be a reason for DNS Client to be disabled?
Not an issue if you are on Windows 2000 SP3/Windows Server 2003 or superior. References: http://support.microsoft.com/kb/316786 http://support.microsoft.com/kb/241352
Thanks for the links. I had a vague idea about that, just not sure which O.S were covered. But, that was not what I was thinking about... Not precisely, anyway. I was thinking about what Dan Kaminsky brought up in 2008 (one year after those Microsoft articles), DNS cache poisoning. Considering this flaw was brought in 2008, obviously what is mentioned in the articles you provided links for are unrelated. Anyway, this reminds us that just because one flaw was discovered and patched, the same doesn't mean that something else couldn't be exploited. Simply means no one found it, yet. But, does it mean there's none? Only time will tell. lol Humans do have as their nature only to be concerned when they're aware of imminent danger...
I believe the DNS cache clears itself out once in a while so while that attack is possible it would not last.
Not happening to me, although I have the same setup. I saw the Comodo block page on other sites sometimes though.
I have previously always received the Norton DNS page in this instance, but just tonight I got the traditional 404, and I am using Norton DNS.
I see EveryDNS are putting out their discontinued page now. http://dyn.com/everyeditdns-discontinued/
Here's all I know... I am no longer using 4 DNS server addresses. I used to list 2 Norton and 2 Comodo addresses. But now I only have 2 Norton DNS addresses listed. As soon as the 404 happened, I clicked on http://setup.nortondns.com/ , which I have bookmarked to periodically check. It said, "Your computer is currently using Norton DNS." It doesn't make sense to me. I just posted what I saw. Maybe the standard Norton page-not-found dialog was temporarily down? As for me being "absolutely sure that norton dns was in use and not bypassed or something"... I'd have to say no, I am not absolutely sure about any of this stuff.
Norton DNS blocked a site just now, and within moments, a TrafficLight for Chrome block page popped up too. Double teaming works. The Norton DNS block page, unlike the TrafficLight page, provides a link for a detailed report, which in turn provides a threat summary, community reviews and a sample of all 73 threats found on the malicious site with additional info available if needed on each one. Wow.
I dont understand this DnS stuff. If I ping my ISP's DNS or I ping Google DnS its always within 1 ms of each other. Where's the benefit? Am I missing something?
