Jump to content
amprantino

ESET blocking all DNS requests at Interative mode

Recommended Posts

Posted (edited)

I am using Interactive mode. ESET is blocking all DNS requests for some reason.

So nothing works... Lets focus on browsing with Firefox. (It's not browser related as the same problem appears also to Edge browser; the error  description is "DNS_PROBE_FINISHED_NXDOMAIN" so its DNS issue).

 

If I disable Network Protection > Firewall everything is OK :)

1) I have tried to uninstall and delete all the configuration but  it appears again and again

2) I created a rule at the top permitting all DNS requests. The problem remains. (Allow all TCP/UDP Remote Port 53)

3)  Temporary IP address blacklist is zero & Recently blocked application or devices is zero.

4) I tried to create some logs Help > Details for Technical Support Advanced Logging > Edit the file and search for firefox.

I dont see any entry.

Any idea how to troubleshoot the problem or what is causing the issue?

This behavior appears every few months and I don't know why it appears again and again.

I am using ESET Internet Security version 13.2.16.0, Windows 10 Pro(64-bit)

Thank you

 

Edited by amprantino

Share this post


Link to post
Share on other sites

If you open advanced setup and navigate to Firewall -> Advanced -> Zones, do you see your DNS servers listed? They should match the DNS servers reported by ipconfig /all.

Also I'd suggest exporting the configuration and resetting settings to defaults and see if it makes a difference. Does it work in automatic mode?

Share this post


Link to post
Share on other sites
Posted (edited)
1 hour ago, Marcos said:

If you open advanced setup and navigate to Firewall -> Advanced -> Zones, do you see your DNS servers listed? They should match the DNS servers reported by ipconfig /all.

Also I'd suggest exporting the configuration and resetting settings to defaults and see if it makes a difference. Does it work in automatic mode?

Yes, they match and they are updated correctly if I change them in Windows.

Automatic mode is also not working :( (just tested)

If I reset to default it works for a few weeks or months and they again the same problem appears

 

 

Edited by amprantino

Share this post


Link to post
Share on other sites

Here's an article on fixes for "DNS_PROBE_FINISHED_NXDOMAIN" issue: https://www.hostinger.com/tutorials/fix-dns_probe_finished_nxdomain .

2 hours ago, amprantino said:

This behavior appears every few months and I don't know why it appears again and again

This would be indicative of an issue with your ISP provider and/or VPN provider if you are using a VPN.

Note that if Eset was the cause, this behavior would be constant and not of a sporadic nature.

Share this post


Link to post
Share on other sites
Posted (edited)

It's not related to ISP, it is 100% related to ESET:

1. I am not using VPN

2. It's not DNS related: I have tried with numerous DNS and other PCs in the network can do queries to them while ESET is blocking queries on my PC

3. I am not using Edge, I just tried it to confirm that wasn't a Firefox issue. But the problem appear browsers.

 

As soon as the problem appears is constant. I have to disable firewall to access anything.

Edited by amprantino

Share this post


Link to post
Share on other sites
15 minutes ago, amprantino said:

It's not related to ISP, it is 100% related to ESET:

It's not clear how you arrived at this conclusion. Does the problem disappear if Eset is uninstalled and you're only using the Windows firewall and Windows Defender?

Share this post


Link to post
Share on other sites

When I change to Automatic mode, do I have to restart Windows to take effect ?

13 minutes ago, itman said:

It's not clear how you arrived at this conclusion. Does the problem disappear if Eset is uninstalled and you're only using the Windows firewall and Windows Defender?

If I uninstall ESET, yes the problem dissapears.

If I disable ESET firewall, yes the problem dissapears

Can you please explain why you think the issue is ISP related ?

Share this post


Link to post
Share on other sites
1 hour ago, amprantino said:

Can you please explain why you think the issue is ISP related ?

As I posted previously, because the problem is intermittent. As you stated:

2 hours ago, amprantino said:

If I reset to default it works for a few weeks or months and they again the same problem appears

What I would recommend is setting the Eset firewall back to default values. This will reset Filtering mode back to Automatic which will allow all outbound traffic unless specifically blocked by an existing Eset default firewall rule. Also, only Eset default firewall rules would exist.

At this point, you should have no further DNS issues. If you do, we can rule out Eset as the source.

If you want to block some outbound network traffic, you can manual create a firewall rule to do so. I would do so carefully by monitoring after each rule creation if this existing DNS behavior reappears.

Share this post


Link to post
Share on other sites

A few comments about DNS firewall rules:

1. Eset's default DNS firewall allow both outbound TCP and UDP traffic port 53.

2. Windows uses mDNS outbound port 5353 as a fallback for DNS traffic. As such, this traffic should not be blocked.

Share this post


Link to post
Share on other sites
16 hours ago, itman said:

A few comments about DNS firewall rules:

1. Eset's default DNS firewall allow both outbound TCP and UDP traffic port 53.

2. Windows uses mDNS outbound port 5353 as a fallback for DNS traffic. As such, this traffic should not be blocked.

 

The first rule is mine, inserted at the top of the list. The rest rules are predefined and I cannot edit them

 

image.thumb.png.0dc14d9f80cc34dacc27fd72cc136518.png

Share this post


Link to post
Share on other sites
Posted (edited)
18 hours ago, itman said:

As I posted previously, because the problem is intermittent. As you stated:

What I would recommend is setting the Eset firewall back to default values. This will reset Filtering mode back to Automatic which will allow all outbound traffic unless specifically blocked by an existing Eset default firewall rule. Also, only Eset default firewall rules would exist.

At this point, you should have no further DNS issues. If you do, we can rule out Eset as the source.

If you want to block some outbound network traffic, you can manual create a firewall rule to do so. I would do so carefully by monitoring after each rule creation if this existing DNS behavior reappears.

The problem is not intermittent! Let me describe better:

I have a clean ESET installation. Everything works perfectly. Suddenly after a few weeks all DNS requests are blocked.

To keep up working I have to disable ESET firewall (permanently) or reinstall ESET from scratch. If I reinstall everything is working. Something is blocking DNS requests.

So I have started this post because I have reinstalled  it already 3-4 times and I want to find the root of the problem.

 

Update: After I set it to Automatic mode and restarted my PC everything works; DNS is not blocked. So it should be a problematic rule in the firewall/Interactive Mode !

Edited by amprantino

Share this post


Link to post
Share on other sites
58 minutes ago, amprantino said:

Update: After I set it to Automatic mode and restarted my PC everything works; DNS is not blocked. So it should be a problematic rule in the firewall/Interactive Mode !

Exactly.

As I posted previously, you can't just set outbound block rules en-mass. This is a sure recipe for borking necessary Win outbound network traffic. Each block rule needs to be thoroughly tested for impact before permanently allowing it.

Share this post


Link to post
Share on other sites
Posted (edited)
20 hours ago, itman said:

Exactly.

As I posted previously, you can't just set outbound block rules en-mass. This is a sure recipe for borking necessary Win outbound network traffic. Each block rule needs to be thoroughly tested for impact before permanently allowing it.

The problem appears suddenly without having added rules the last 1-2h!!

Does ESET have a way to export accurate logs when it is blocking DNS requests so I can detect which rule is causing the issue?

Edited by amprantino

Share this post


Link to post
Share on other sites

Please carry on as follows:
- in the adv.setup -> diagnostics -> advanced logging enable advanced network protection logging
- reboot the machine
- reproduce the issue
- turn off logging
- collect logs with ESET Log Collector and upload the generated archive here.

Share this post


Link to post
Share on other sites
6 minutes ago, amprantino said:

The problem appears suddenly without having added rules the last 1-2h!!

First, do as @Marcos instructed in regards to Eset log collection data.

Next, I just made a posting here: https://forum.eset.com/topic/25158-eset-monitoring-of-gateway-ipv4-dns-server-connection/ in regards to what appears to be Eset checking of gateway/router DNS server status. I am wondering if this activity might be in some way related to the mysterious DNS blocking issue you are having. Something along the line of this Eset status check fails for some reason resulting in Eset internally blocking outbound DNS traffic on your device.

Share this post


Link to post
Share on other sites

Continuing my last posting let's see if you can confirm my suspicions.

Create an Allow firewall rule for C:\Program Files\ESET\ESET Security\ekrn.exe. Set direction to Both. Leave protocol at default TCP & UDP. Important - set logging level to Warning. Set remote port to 53. Finally, move this rule to the top of the rule set and save your changes.

What this rule will do is create an Eset Network log entry every time Eset's ekrn.exe is performing DNS related activity. The next time your blocked DNS activity occurs, check if a Network log entry exists for the above created rule and its date and time syncs with the time your blocked DNS activity starts. If it does, we have found the culprit. If it doesn't, delete the above created firewall rule since Eset's DNS activity is not source of your issue.

Share this post


Link to post
Share on other sites

When DNS blocking happens, ESET is also complaining that cant access "ESET Live Grid".

I will try the above and post here the results

thx

 

Share this post


Link to post
Share on other sites
Posted (edited)
19 minutes ago, amprantino said:

When DNS blocking happens, ESET is also complaining that cant access "ESET Live Grid".

That would be expected behavior when all DNS traffic is being blocked as you described . Eset can't reach its LiveGrid servers.

When this DNS blocking occurs, open a command prompt window and enter:

ipconfig /flushdns

and see if DNS connectivity is restored.

Edited by itman

Share this post


Link to post
Share on other sites
On 8/17/2020 at 5:15 PM, itman said:

That would be expected behavior when all DNS traffic is being blocked as you described . Eset can't reach its LiveGrid servers.

When this DNS blocking occurs, open a command prompt window and enter:

ipconfig /flushdns

and see if DNS connectivity is restored.

It doesn't work and doing any DNS query will fail

Share this post


Link to post
Share on other sites

Eset has a default firewall rule for svchost.exe that allows all outbound TCP & UDP protocol traffic to remote port 53. Verify that your existing firewall rule set does not have a rule that exists prior to the default firewall rule that also specifies remote port 53. It is possible that somehow such a rule was created inadvertently by you or while running in firewall Interactive mode.

Additionally, Eset via internal proxy monitors outbound port 53 traffic. It is therefore imperative that no outbound port 53 traffic be blocked prior to the existing default firewall rule for ekrn.exe. If such a rule exists blocking outbound port 53 traffic, delete it or move it after the existing default rule for ekrn.exe.

-EDIT- Note: a sure way to bork your DNS traffic is to fool around with Eset's default DNS firewall rule. Let's say you feel the rule is insecure. So you disable it and add your own DNS rule lets say specifying your ISP or third party DNS server IP addresses as remote IP addresses. As noted above, this busts the default ekrn.exe rule which is filtering DNS traffic via proxy. The end result is all your outbound DNS traffic is blocked.

Edited by itman

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...