Jump to content

Eset Not Monitoring IPv6 DNS Traffic


Recommended Posts

I have been monitoring this for a while. I have seen via Eset Network Connections tool that ekrn.exe is on occasion monitoring IPv4 DNS traffic. But it is not doing so for IPv6 traffic. Further, I observe ekrn.exe proxy connections for 127.0.0. and 0.0.0.0 but nothing for ::1 or 0.0.0.0.0.0.

Eset does recognize the IPv6 server IP address/s in the DNS zone in Network Protection settings.

My old AT&T router is basically a IPv4 only router that AT&T modified to accommodate IPv6 traffic. Since it doesn't have IPv6 DNS server circuity, the router connects to a dedicated IPv6 DNS server array on the AT&T network. It then establishes and connects via IPv6 tunnel to a pseudo dedicated IPv6 address DNS server on my local subnet. This local subnet DNS server is nothing more than a DNS address resolution cache similar to the one that exists in Windows. Note again that Eset recognizes both the external and internal IPv6 DNS servers in the DNS zone.

Does Eset only recognize local subnet based DNS servers? 

Edited by itman
Link to comment
Share on other sites

  • 1 month later...

I finally was able to get Eset to properly detect and monitor IPv6 DNS traffic on my device. Doing so is best describe as "an adventure through networking hell." To begin and overall, I can't fault Eset here. However, anyone using Eset will have issues if their network environment mirrors mine. So lets get into the "nitty gritty" on this issue.

Two features were instrumental in resolving this issue. Why I never used them previously is beyond me. These are;

netstat -r

ipconfig /displaydns

Some background detail.

My ISP is AT&T. My router/gateway is an AT&T Pace 5268AC.

Checking Win 10 IPv6 settings in the registry yields that I have a DHCP IPv6 DNS server assigned to IP address xxxx:xxxx:xxxx:2421::1.

netstat -r shows that my local link assigned IPv6 address range is xxxx:xxxx:xxxx:2420::/64. At this point note that my assigned IPv6 DNS server is not within this range.

My fe80:: addressed based IPv6 LAN gateway IP address range however is xxxx:xxxx:xxxx:2420::/60. Note that the xxxx:xxxx:xxxx:2421::1 IPv6 DNS server address is within the  xxxx:xxxx:xxxx:2420::/60 range.

Overall and the gist of the problem is when Eset sets up a network connection for my device network adapter it is assigning the IPv6 local link address range; i.e. xxxx:xxxx:xxxx:2420::/64. The problem is the router to properly assign via DHCPv6 the connection of IPv6 DNS server to a predefined IPv6 DHCP server allocated to IP address  xxxx:xxxx:xxxx:2420::1, it must have full unrestricted access to the IPv6 LAN gateway IP address range of xxxx:xxxx:xxxx:2420::/60. Add to the above that Eset's default DHCPv6 server firewall rule doesn't work and had to be modified to a more generic version excluding any specific IP address references.

Now I was going to post all the details of what goes on in reference to the above. Instead will just state that:

1. A binding is made to the predefined IPv6 DHCP server allocated to IP address of xxxx:xxxx:xxxx:2420::1 for the IPv6 DNS server located at IP address xxxx:xxxx:xxxx:2421::1.

Quote

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.4.2.0.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa
    ----------------------------------------
    Record Name . . . . . : 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.4.2.0.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa
    Record Type . . . . . : 12
    Time To Live  . . . . : 82903
    Data Length . . . . . : 8
    Section . . . . . . . : Answer
    PTR Record  . . . . . : homeportal


    Record Name . . . . . : 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.4.2.0.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa
    Record Type . . . . . : 12
    Time To Live  . . . . : 82903
    Data Length . . . . . : 8
    Section . . . . . . . : Answer
    PTR Record  . . . . . : xxxxxxx.net


    Record Name . . . . . : 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.4.2.0.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa
    Record Type . . . . . : 12
    Time To Live  . . . . : 82903
    Data Length . . . . . : 8
    Section . . . . . . . : Answer
    PTR Record  . . . . . : igateway


    Record Name . . . . . : 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.4.2.0.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa
    Record Type . . . . . : 12
    Time To Live  . . . . : 82903
    Data Length . . . . . : 8
    Section . . . . . . . : Answer
    PTR Record  . . . . . : gateway


    Record Name . . . . . : 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.4.2.0.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa
    Record Type . . . . . : 12
    Time To Live  . . . . : 82903
    Data Length . . . . . : 8
    Section . . . . . . . : Answer
    PTR Record  . . . . . : api.home


    Record Name . . . . . : 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.4.2.0.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa
    Record Type . . . . . : 12
    Time To Live  . . . . : 82903
    Data Length . . . . . : 8
    Section . . . . . . . : Answer
    PTR Record  . . . . . : dsldevice


    Record Name . . . . . : 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.4.2.0.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa
    Record Type . . . . . : 28
    Time To Live  . . . . : 82903
    Data Length . . . . . : 16
    Section . . . . . . . : Additional
    AAAA Record . . . . . : xxxx:xxxx:xxxx:2421::1

 

2. A binding is made to the IPv4 DHCP gateway for IPv6 DNS server located at IP address xxxx:xxxx:xxxx:2421::1.

Quote

xxx.1.168.192.in-addr.arpa
    ----------------------------------------
    Record Name . . . . . : xxx.1.168.192.in-addr.arpa
    Record Type . . . . . : 12
    Time To Live  . . . . : 27000
    Data Length . . . . . : 8
    Section . . . . . . . : Answer
    PTR Record  . . . . . : homeportal


    Record Name . . . . . : xxx.1.168.192.in-addr.arpa
    Record Type . . . . . : 12
    Time To Live  . . . . : 27000
    Data Length . . . . . : 8
    Section . . . . . . . : Answer
    PTR Record  . . . . . : xxxxxxx.net


    Record Name . . . . . : xxx.1.168.192.in-addr.arpa
    Record Type . . . . . : 12
    Time To Live  . . . . : 27000
    Data Length . . . . . : 8
    Section . . . . . . . : Answer
    PTR Record  . . . . . : igateway


    Record Name . . . . . : xxx.1.168.192.in-addr.arpa
    Record Type . . . . . : 12
    Time To Live  . . . . : 27000
    Data Length . . . . . : 8
    Section . . . . . . . : Answer
    PTR Record  . . . . . : gateway


    Record Name . . . . . : xxx.1.168.192.in-addr.arpa
    Record Type . . . . . : 12
    Time To Live  . . . . : 27000
    Data Length . . . . . : 8
    Section . . . . . . . : Answer
    PTR Record  . . . . . : api.home


    Record Name . . . . . : xxx.1.168.192.in-addr.arpa
    Record Type . . . . . : 12
    Time To Live  . . . . : 27000
    Data Length . . . . . : 8
    Section . . . . . . . : Answer
    PTR Record  . . . . . : dsldevice


    Record Name . . . . . : xxx.1.168.192.in-addr.arpa
    Record Type . . . . . : 28
    Time To Live  . . . . : 27000
    Data Length . . . . . : 16
    Section . . . . . . . : Additional
    AAAA Record . . . . . : xxxx:xxxx:xxxx:2421::1

 

3. Ipv4only.arpa assignment; i.e. NAT64 and DNS64, is made in reference to item 2. whereby AT&T "encapsulates" IPv4 DNS traffic in IPv6 packets for transmission through their network. Upon reaching the router, they are converted back into normal IPv4 address format.

Quote

ipv4only.arpa
    ----------------------------------------
    Record Name . . . . . : ipv4only.arpa
    Record Type . . . . . : 1
    Time To Live  . . . . : 71576
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 192.0.0.171


    Record Name . . . . . : ipv4only.arpa
    Record Type . . . . . : 1
    Time To Live  . . . . : 71576
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 192.0.0.170

 

Bottom line - default Eset private network trusted network IP address assignment will not work in this situation. Eset needs to modify Network Protection processing to assign IPv6 local subnet trusted address range using that assigned to IPv6 fe80 LAN gateway versus IPv6 local link assigned address range.

-EDIT- Forgot an important detail.

Neither Eset nor Win10 recognize IPv6 DHCP server/gateway allocated to IP address of xxxx:xxxx:xxxx:2420::1 as a DHCPv6 server. Both if recognized, treat it as an IPv6 DNS server.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...