MS Security Update KB951748 of July 8, 2008, breaks Look.n.Stop

Discussion in 'LnS English Forum' started by beaujean, Jul 8, 2008.

Thread Status:
Not open for further replies.
  1. beaujean

    beaujean Registered Member

    Joined:
    Jul 8, 2008
    Posts:
    2
    The newest Microsoft Security Update, KB951748 of yesterday, July 8, which specifically changes many settings and files to do with DNS lookups, has broken Look'n'Stop version 2.06 (and possibly all other 3rd party software firewalls - certainly ZoneAlarm is one and Agnitum another). Microsoft is aware of this issue and states that it is up to the third-party firewall developers to code a work-around for compatibility issues with the update.

    Specifically, with "Internet Filtering" enabled in Look'n'Stop, after the security update domain names like www.google.com will not resolve in browsers, nor will the ping command in the command prompt work to resolve the domain name. However, direct IP numbers entered in browser address bars and the command prompt will work. As soon as "internet filtering" is disabled in "Look'n'Stop", the issue disappears even while L'n'S is still running. The Windows Firewall (bless it) works as advertised.

    Can someone suggest a quick rule change or fix that would allow L'n'S to work with the new update?

    The URL for the MS support page for that update is

    http://support.microsoft.com?kbid=951748

    edit-sorry, should have added: Phantom's ruleset, v8

    edit2: see also here:
    http://news.cnet.com/8301-10789_3-9985618-57.html


    Beaujean
     
    Last edited: Jul 8, 2008
  2. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    I've reproduced the issue, and the problem is a the port range for the local port has changed for DNS connections. It seems it is no longer 1024-5000 but 49152-65535 (like under Vista).

    To fix this, you have to edit the "UDP : Authorize name resolution (DNS)" rule.
    Two possibilities:
    - either you have 1024 and 5000 mentioned for that rule, and replace them by 49152 and 65535
    - or you have "In local" for the criteria, and then replace it with "In range A-B" and enter just below 49152 and 65535 as well.

    If it works, don't forget to save the updated ruleset.
    Otherwise check the log again to see what is blocked now.

    Regards,

    Frederic
    ===================================================
    Before the change it should look like this:
    DNS Rule1.JPG
    or
    DNS Rule2.JPG

    After the change:
    Fixed DNS Rule.JPG
    ===================================================
     
    Last edited: Jul 9, 2008
  3. beaujean

    beaujean Registered Member

    Joined:
    Jul 8, 2008
    Posts:
    2

    Hi Frederic,

    Thank you! That works for the "enhanced ruleset'.

    For it to work also in the Phantom ruleset v8, you need to create a new rule allowing UDP destination access to port 53 (53 domain) and place that before the rule named "UDP Auth communications". At least that worked for me. I know that Phantom sometimes reads this forum, so I wonder if he would care to clarify, or whether he will update his ruleset?

    Beaujean
     
  4. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Thanks Frederic, changing the range of the UDP ports works for me!

    Could you help me also with the "SFP DNS" rule? I do not know, how to change the port range in the SPF rule :(

    Thank you
    Thomas :)


     
  5. jeveux

    jeveux Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    6
    Thanks Frederic, your solution worked.
     
  6. ktango

    ktango Registered Member

    Joined:
    Dec 7, 2006
    Posts:
    39
    Hi Thomas M,

    Before the change UDP : SPF DNS Send Query should look like this:
    DNS1.jpg

    After the change:
    DNS2.jpg

    Before the change UDP : SPF DNS Receive Response should look like this:
    DNS3.jpg

    After the change:
    DNS4.jpg
     
  7. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Hi ktango,

    Yes, now it works!
    I just forgot to edit the second SPF rule ;-)

    Thanks so much for your fast help,
    Thomas :)
     
  8. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Thanks ktango, this is correct.

    Frederic
     
Thread Status:
Not open for further replies.