Tech Support HELL

Based on the analysis tool on the guy's website and the patch that was published for BIND, I suspect ZoneAlarm incorrectly assumed that all legitimate DNS traffic originates on port 53, some other fixed port, or a small range of ports. If so (I'm waiting for an XP VM to patch and reboot here) this most certainly is ZoneAlarm's fault. This has been a known issue with how most DNS resolvers work since DJB started bitching about it in July 2001.

I'll post again after I do some tcpdumping.

From:

The difference is that on Linux you can run a fully functioning system that doesn't listen on any port and thus does not require a firewall. Last time I tried that with Windows copy+paste stopped working. (No really, copy+paste apparently involves the RPC port mapper, which I had killed off)

Until 2 years ago I didn't bother with firewalls if the only open port was 22. With all the SSH dictionary attacks I see today I tend to set people up with fail2ban which uses iptables to lock out hosts with try that.

From:

Yep. The unpatched DNS Client service just used a sequentially assigned port that it got on startup. Occasionally (heavy DNS loads) it would obtain more. But it reuses them for a long time. I suspect its breaking up the load across threads and each thread uses it's own port, but don't feel like attaching a debugger to it to see. The patched service is using a unique port each time in the range 40,000 - 65,535.

From:

donnaidh-sidhe.livejournal.com

On the bright side, I've had a lot of two-minute resolutions that did wonders for my call stats.

From:

mouser.livejournal.com

...copy+paste apparently involves the RPC port mapper, which I had killed off...

*blink*

I think that may be the answer to a problem I had, actually...

From:

Well the only way to shutdown that service (I'm pretty sure it was the RPC portmapper) is to disable the autoreboot windows tries to do if the service fails.

BTW this was also the easy way to patch boxes infected with that one worm that would crash the RPC portmapper and trigger the 60 second countdown of doom :)

From:

devilish69angel.livejournal.com

almost every single call i had today was this and of course some end users didn't want to believe it nor take down their firewall cause of course they would be hacked immediately...GAH!

But i do agree with donnaidh_sidhe --> yay fast call resolution!

From:

ZoneAlarm is the buggiest piece of shit ever. ZoneAlarm does fun things like make tracert return ONE FUCKING HOP.

Firewalls shouldn't hose major Windows DLLs either.

From:

I don't either. ISP tech.

From:

vampireborg.livejournal.com

I JUST talked a friend through fixing this, good thing I saw this cos otherwise I would have not been able to figure out what the fuck.

Am so glad I switched to Fedora.

From:

I say disable anything between the tcp/ip stack and the OS's applications and pray to god it flies.

I feel sorry for anyone who has to run an OS where major system services run exposed where outsiders can hit them.

From:

barbituratecat.livejournal.com

ISP tech here as well, however we still have to deal with 'OH ma god, ma internets aint workin, what did you guys DO?!?!' and then explain to them that it's not us. Fun!

From:

Are you f-ing kidding me? Legit DNS traffic can be assumed to be destined for 53, but you can make no such assumption as to what the originating port is. After all, most of the network code I write just grabs a port - I don't care which one.

From:

tracert.. is that like traceroute for OS's with some archaic 8.3 naming format? ;-)

From:

Can't you just configure it to only listen on 127.0.0.1?

Oh, wait, right, Windows. You don't need to do that. This is not the functionality you are looking for.

From:

I wouldn't say requires, but I would say that it is a good idea.

I also wouldn't put in "if running services". Assuming a simple "incoming only" firewall, some malicious bit of software could start listening and the firewall would block things from being able to connect to it, so it is useful even if not running anything. Contrarily, if I have SSH open to the world, and the firewall lets everything on 22 through, then the firewall does very little.

I use it to reinforce rules I already have. So, if SSH is set via hosts.allow and hosts.deny to wrap to the local subnet, my firewall rules are the same. Thus, if either of them fails, the other will hopefully not. Defense in depth and all that.

Right now I have the firewall blocking incoming stuff only. I need to set it up to monitor and block unauthorized outgoing too...

From:

mariasama16.livejournal.com

All in all, I'm glad I don't run ZA for firewall. I used to years ago, got rid of it when I couldn't get it to allow me to FTP (I had the software allowed, but noticed that it was apparently blocking one of the ports, since disabling ZA allowed me to FTP fine). Removing that without doing a nuke and pave was a lesson in aggravation (and way too much manual deletions required).

From:

These types of misconceptions about DNS traffic were the bane of IANA until they decided to just break compatibility.

From: