Tech Support HELL

Based on the analysis tool on the guy's website and the patch that was published for BIND, I suspect ZoneAlarm incorrectly assumed that all legitimate DNS traffic originates on port 53, some other fixed port, or a small range of ports. If so (I'm waiting for an XP VM to patch and reboot here) this most certainly is ZoneAlarm's fault. This has been a known issue with how most DNS resolvers work since DJB started bitching about it in July 2001.

I'll post again after I do some tcpdumping.

From:

Yep. The unpatched DNS Client service just used a sequentially assigned port that it got on startup. Occasionally (heavy DNS loads) it would obtain more. But it reuses them for a long time. I suspect its breaking up the load across threads and each thread uses it's own port, but don't feel like attaching a debugger to it to see. The patched service is using a unique port each time in the range 40,000 - 65,535.

From:

Are you f-ing kidding me? Legit DNS traffic can be assumed to be destined for 53, but you can make no such assumption as to what the originating port is. After all, most of the network code I write just grabs a port - I don't care which one.

From:

These types of misconceptions about DNS traffic were the bane of IANA until they decided to just break compatibility.

From:

What bugs the living shit out of me is why the hell ZoneAlarm's even bothering with DNS traffic.

Shouldn't a firewall just deny/allow traffic to preset ports or to detect suspicious activity?

From:

ZoneAlarm is the buggiest piece of shit ever. ZoneAlarm does fun things like make tracert return ONE FUCKING HOP.

Firewalls shouldn't hose major Windows DLLs either.

From:

tracert.. is that like traceroute for OS's with some archaic 8.3 naming format? ;-)

From:

thecrazyfinn.livejournal.com

Every OS requires a firewall if running services, especially if its not behind a hardware firewall.

I run active firewalls on my Linux, OS X and Windows boxes.

From:

The difference is that on Linux you can run a fully functioning system that doesn't listen on any port and thus does not require a firewall. Last time I tried that with Windows copy+paste stopped working. (No really, copy+paste apparently involves the RPC port mapper, which I had killed off)

Until 2 years ago I didn't bother with firewalls if the only open port was 22. With all the SSH dictionary attacks I see today I tend to set people up with fail2ban which uses iptables to lock out hosts with try that.

From:

mouser.livejournal.com

...copy+paste apparently involves the RPC port mapper, which I had killed off...

*blink*

I think that may be the answer to a problem I had, actually...

From:

Well the only way to shutdown that service (I'm pretty sure it was the RPC portmapper) is to disable the autoreboot windows tries to do if the service fails.

BTW this was also the easy way to patch boxes infected with that one worm that would crash the RPC portmapper and trigger the 60 second countdown of doom :)

From:

Can't you just configure it to only listen on 127.0.0.1?

Oh, wait, right, Windows. You don't need to do that. This is not the functionality you are looking for.

From:

I wouldn't say requires, but I would say that it is a good idea.

I also wouldn't put in "if running services". Assuming a simple "incoming only" firewall, some malicious bit of software could start listening and the firewall would block things from being able to connect to it, so it is useful even if not running anything. Contrarily, if I have SSH open to the world, and the firewall lets everything on 22 through, then the firewall does very little.

I use it to reinforce rules I already have. So, if SSH is set via hosts.allow and hosts.deny to wrap to the local subnet, my firewall rules are the same. Thus, if either of them fails, the other will hopefully not. Defense in depth and all that.

Right now I have the firewall blocking incoming stuff only. I need to set it up to monitor and block unauthorized outgoing too...

From:

superbus.livejournal.com

I'm so glad I work in a job where I don't support local PCs.

From:

I don't either. ISP tech.

From:

barbituratecat.livejournal.com

ISP tech here as well, however we still have to deal with 'OH ma god, ma internets aint workin, what did you guys DO?!?!' and then explain to them that it's not us. Fun!

From:

donnaidh-sidhe.livejournal.com

On the bright side, I've had a lot of two-minute resolutions that did wonders for my call stats.

From:

devilish69angel.livejournal.com

almost every single call i had today was this and of course some end users didn't want to believe it nor take down their firewall cause of course they would be hacked immediately...GAH!

But i do agree with donnaidh_sidhe --> yay fast call resolution!

From:

vampireborg.livejournal.com

I JUST talked a friend through fixing this, good thing I saw this cos otherwise I would have not been able to figure out what the fuck.

Am so glad I switched to Fedora.

From: