ESET blocking all DNS requests at Interative mode

[amprantino 0]

I am using Interactive mode. ESET is blocking all DNS requests for some reason.

So nothing works... Lets focus on browsing with Firefox. (It's not browser related as the same problem appears also to Edge browser; the error  description is "DNS_PROBE_FINISHED_NXDOMAIN" so its DNS issue).

 

If I disable Network Protection > Firewall everything is OK

1) I have tried to uninstall and delete all the configuration but  it appears again and again

2) I created a rule at the top permitting all DNS requests. The problem remains. (Allow all TCP/UDP Remote Port 53)

3)  Temporary IP address blacklist is zero & Recently blocked application or devices is zero.

4) I tried to create some logs Help > Details for Technical Support Advanced Logging > Edit the file and search for firefox.

I dont see any entry.

Any idea how to troubleshoot the problem or what is causing the issue?

This behavior appears every few months and I don't know why it appears again and again.

I am using ESET Internet Security version 13.2.16.0, Windows 10 Pro(64-bit)

Thank you

 

Edited August 12, 2020 by amprantino

[Marcos 5,074]

If you open advanced setup and navigate to Firewall -> Advanced -> Zones, do you see your DNS servers listed? They should match the DNS servers reported by ipconfig /all.

Also I'd suggest exporting the configuration and resetting settings to defaults and see if it makes a difference. Does it work in automatic mode?

[amprantino 0]

1 hour ago, Marcos said:

If you open advanced setup and navigate to Firewall -> Advanced -> Zones, do you see your DNS servers listed? They should match the DNS servers reported by ipconfig /all.

Also I'd suggest exporting the configuration and resetting settings to defaults and see if it makes a difference. Does it work in automatic mode?

Yes, they match and they are updated correctly if I change them in Windows.

Automatic mode is also not working (just tested)

If I reset to default it works for a few weeks or months and they again the same problem appears

 

 

Edited August 12, 2020 by amprantino

[itman 1,659]

Here's an article on fixes for "DNS_PROBE_FINISHED_NXDOMAIN" issue: https://www.hostinger.com/tutorials/fix-dns_probe_finished_nxdomain .

2 hours ago, amprantino said:

This behavior appears every few months and I don't know why it appears again and again

This would be indicative of an issue with your ISP provider and/or VPN provider if you are using a VPN.

Note that if Eset was the cause, this behavior would be constant and not of a sporadic nature.

[amprantino 0]

It's not related to ISP, it is 100% related to ESET:

1. I am not using VPN

2. It's not DNS related: I have tried with numerous DNS and other PCs in the network can do queries to them while ESET is blocking queries on my PC

3. I am not using Edge, I just tried it to confirm that wasn't a Firefox issue. But the problem appear browsers.

 

As soon as the problem appears is constant. I have to disable firewall to access anything.

Edited August 12, 2020 by amprantino

[itman 1,659]

15 minutes ago, amprantino said:

It's not related to ISP, it is 100% related to ESET:

It's not clear how you arrived at this conclusion. Does the problem disappear if Eset is uninstalled and you're only using the Windows firewall and Windows Defender?

[amprantino 0]

When I change to Automatic mode, do I have to restart Windows to take effect ?

13 minutes ago, itman said:

It's not clear how you arrived at this conclusion. Does the problem disappear if Eset is uninstalled and you're only using the Windows firewall and Windows Defender?

If I uninstall ESET, yes the problem dissapears.

If I disable ESET firewall, yes the problem dissapears

Can you please explain why you think the issue is ISP related ?

[itman 1,659]

1 hour ago, amprantino said:

Can you please explain why you think the issue is ISP related ?

As I posted previously, because the problem is intermittent. As you stated:

2 hours ago, amprantino said:

If I reset to default it works for a few weeks or months and they again the same problem appears

What I would recommend is setting the Eset firewall back to default values. This will reset Filtering mode back to Automatic which will allow all outbound traffic unless specifically blocked by an existing Eset default firewall rule. Also, only Eset default firewall rules would exist.

At this point, you should have no further DNS issues. If you do, we can rule out Eset as the source.

If you want to block some outbound network traffic, you can manual create a firewall rule to do so. I would do so carefully by monitoring after each rule creation if this existing DNS behavior reappears.

[itman 1,659]

A few comments about DNS firewall rules:

1. Eset's default DNS firewall allow both outbound TCP and UDP traffic port 53.

2. Windows uses mDNS outbound port 5353 as a fallback for DNS traffic. As such, this traffic should not be blocked.

[amprantino 0]

16 hours ago, itman said:

A few comments about DNS firewall rules:

1. Eset's default DNS firewall allow both outbound TCP and UDP traffic port 53.

2. Windows uses mDNS outbound port 5353 as a fallback for DNS traffic. As such, this traffic should not be blocked.

 

The first rule is mine, inserted at the top of the list. The rest rules are predefined and I cannot edit them

 

[amprantino 0]

18 hours ago, itman said:

As I posted previously, because the problem is intermittent. As you stated:

What I would recommend is setting the Eset firewall back to default values. This will reset Filtering mode back to Automatic which will allow all outbound traffic unless specifically blocked by an existing Eset default firewall rule. Also, only Eset default firewall rules would exist.

At this point, you should have no further DNS issues. If you do, we can rule out Eset as the source.

If you want to block some outbound network traffic, you can manual create a firewall rule to do so. I would do so carefully by monitoring after each rule creation if this existing DNS behavior reappears.

The problem is not intermittent! Let me describe better:

I have a clean ESET installation. Everything works perfectly. Suddenly after a few weeks all DNS requests are blocked.

To keep up working I have to disable ESET firewall (permanently) or reinstall ESET from scratch. If I reinstall everything is working. Something is blocking DNS requests.

So I have started this post because I have reinstalled  it already 3-4 times and I want to find the root of the problem.

 

Update: After I set it to Automatic mode and restarted my PC everything works; DNS is not blocked. So it should be a problematic rule in the firewall/Interactive Mode !

Edited August 13, 2020 by amprantino

[itman 1,659]

58 minutes ago, amprantino said:

Update: After I set it to Automatic mode and restarted my PC everything works; DNS is not blocked. So it should be a problematic rule in the firewall/Interactive Mode !

Exactly.

As I posted previously, you can't just set outbound block rules en-mass. This is a sure recipe for borking necessary Win outbound network traffic. Each block rule needs to be thoroughly tested for impact before permanently allowing it.

[amprantino 0]

20 hours ago, itman said:

Exactly.

As I posted previously, you can't just set outbound block rules en-mass. This is a sure recipe for borking necessary Win outbound network traffic. Each block rule needs to be thoroughly tested for impact before permanently allowing it.

The problem appears suddenly without having added rules the last 1-2h!!

Does ESET have a way to export accurate logs when it is blocking DNS requests so I can detect which rule is causing the issue?

Edited August 14, 2020 by amprantino

[Marcos 5,074]

Please carry on as follows:
- in the adv.setup -> diagnostics -> advanced logging enable advanced network protection logging
- reboot the machine
- reproduce the issue
- turn off logging
- collect logs with ESET Log Collector and upload the generated archive here.

[itman 1,659]

6 minutes ago, amprantino said:

The problem appears suddenly without having added rules the last 1-2h!!

First, do as @Marcos instructed in regards to Eset log collection data.

Next, I just made a posting here: https://forum.eset.com/topic/25158-eset-monitoring-of-gateway-ipv4-dns-server-connection/ in regards to what appears to be Eset checking of gateway/router DNS server status. I am wondering if this activity might be in some way related to the mysterious DNS blocking issue you are having. Something along the line of this Eset status check fails for some reason resulting in Eset internally blocking outbound DNS traffic on your device.

[itman 1,659]

Continuing my last posting let's see if you can confirm my suspicions.

Create an Allow firewall rule for C:\Program Files\ESET\ESET Security\ekrn.exe. Set direction to Both. Leave protocol at default TCP & UDP. Important - set logging level to Warning. Set remote port to 53. Finally, move this rule to the top of the rule set and save your changes.

What this rule will do is create an Eset Network log entry every time Eset's ekrn.exe is performing DNS related activity. The next time your blocked DNS activity occurs, check if a Network log entry exists for the above created rule and its date and time syncs with the time your blocked DNS activity starts. If it does, we have found the culprit. If it doesn't, delete the above created firewall rule since Eset's DNS activity is not source of your issue.

[amprantino 0]

When DNS blocking happens, ESET is also complaining that cant access "ESET Live Grid".

I will try the above and post here the results

thx

 

[itman 1,659]

19 minutes ago, amprantino said:

When DNS blocking happens, ESET is also complaining that cant access "ESET Live Grid".

That would be expected behavior when all DNS traffic is being blocked as you described . Eset can't reach its LiveGrid servers.

When this DNS blocking occurs, open a command prompt window and enter:

ipconfig /flushdns

and see if DNS connectivity is restored.

Edited August 17, 2020 by itman

[amprantino 0]

On 8/17/2020 at 5:15 PM, itman said:

That would be expected behavior when all DNS traffic is being blocked as you described . Eset can't reach its LiveGrid servers.

When this DNS blocking occurs, open a command prompt window and enter:

ipconfig /flushdns

and see if DNS connectivity is restored.

It doesn't work and doing any DNS query will fail

[itman 1,659]

Eset has a default firewall rule for svchost.exe that allows all outbound TCP & UDP protocol traffic to remote port 53. Verify that your existing firewall rule set does not have a rule that exists prior to the default firewall rule that also specifies remote port 53. It is possible that somehow such a rule was created inadvertently by you or while running in firewall Interactive mode.

Additionally, Eset via internal proxy monitors outbound port 53 traffic. It is therefore imperative that no outbound port 53 traffic be blocked prior to the existing default firewall rule for ekrn.exe. If such a rule exists blocking outbound port 53 traffic, delete it or move it after the existing default rule for ekrn.exe.

-EDIT- Note: a sure way to bork your DNS traffic is to fool around with Eset's default DNS firewall rule. Let's say you feel the rule is insecure. So you disable it and add your own DNS rule lets say specifying your ISP or third party DNS server IP addresses as remote IP addresses. As noted above, this busts the default ekrn.exe rule which is filtering DNS traffic via proxy. The end result is all your outbound DNS traffic is blocked.

Edited September 1, 2020 by itman

[Zugzwang 0]

Hi All,

Was this ever finally resolved with the issue identified. @itman how did you continue?

I had the same issue today with name servers being blocked. I did install over a previous version after testing scenario on a local dev server.

Everything was fine for hours then port 53 was blocked. I need to investigate further.

[itman 1,659]

21 minutes ago, Zugzwang said:

Was this ever finally resolved with the issue identified. @itman how did you continue?

I assume it was resolved by the OP since no replies have been received since Sept. 1.

Eset's default DNS server rule basically allows all outbound port 53 UDP traffic originating from svchost.exe. However, Eset will capture all local DNS servers being used as a result of DHCP initialization processing. These are shown in Eset firewall settings -> Zones -> DNS Servers.

Really can't see how Eset could block port 53 traffic unless it was inbound port 53 traffic which should not occur.