none
Windows 7 64bit Firewall drops incoming DNS udp packets RRS feed

  • Question

  • For several days it has seemed like DNS is failing with no responses (web pages don't load, even ping cannot resolve address). But my surprise was great when i found out that the actual culprit is windows own firewall:

     

     

    2011-07-02 16:54:30 DROP UDP 8.8.4.4 192.168.0.10 53 50188 104 - - - - - - - RECEIVE

    2011-07-02 16:54:31 DROP UDP 8.8.4.4 192.168.0.10 53 54141 74 - - - - - - - RECEIVE

     

     

    Why is this happening? I have tried with several DNS servers: my ISP's DHCP addresses (both automatic and manual), Google DNS (currently selected), OpenDNS. No matter which one i use, the resulting log entries look like above.

    I have no idea what's causing this except a hunch about my connection's laggyness, could it be that the DNS query somehow times out, and that's why windows firewall doesn't permit it back in?

    BUT, even that shouldn't theoretically happen because i have created an extra incoming rule permitting ALL remote (any address) port 53 (remote:53, local:any) UDP traffic in! And this is why i am exceptionally puzzled.

    I have observed dns traffic with NetMon for clues but nothing special has popped out. I am not a DNS or networking pro so i don't know what to be on the lookout for.

     

    Edit: only strangeness is that browser seems to be re-querying DNS for stuff that should already be well known like *.facebook.com etc. But this is not just a browser problem but all net is affected. 

    Edit: Just got DNS timeouts on nslookup, timeout was 2 seconds. Increased it to 10 seconds, still nothing didn't happen on the first try, only second try brought results - however there are no dropped packets in firewall log. Does this mean i'm suffering from extremely laggy connection? Is there a way to increase DNS timeout for the whole system?

    Edit: NetMon shows 3 requests sent, 0 received. Firewall log shows 0 dropped.

    Saturday, July 2, 2011 2:22 PM

All replies

  • So... is it possible to relax DNS timings somewhere? Or what can i do. This only happens with higher network load, however not anywhere near max capacity (only 40-60 MB/s on a GB ethernet). Is the Windows Firewall flakey? I don't think it should never ever do that.

     

    Sunday, July 3, 2011 8:37 PM
  • Here it's happening again on a massive scale, and interestingly both my network and workstation are very lightly loaded (cpu <20%, network <1%, no mentionable disk IO):

     

    2011-07-04 15:56:56 DROP UDP 8.8.8.8 192.168.0.10 53 35366 229 - - - - - - - RECEIVE

    2011-07-04 15:56:56 DROP UDP 8.8.4.4 192.168.0.10 53 35366 245 - - - - - - - RECEIVE

    2011-07-04 15:56:56 DROP UDP 8.8.8.8 192.168.0.10 53 35366 229 - - - - - - - RECEIVE

    2011-07-04 15:56:56 DROP UDP 8.8.4.4 192.168.0.10 53 35366 245 - - - - - - - RECEIVE

    2011-07-04 15:56:56 DROP UDP 8.8.8.8 192.168.0.10 53 35366 229 - - - - - - - RECEIVE

    2011-07-04 15:56:56 DROP UDP 8.8.4.4 192.168.0.10 53 35366 245 - - - - - - - RECEIVE

    2011-07-04 15:56:56 DROP UDP 208.67.222.222 192.168.0.10 53 35366 245 - - - - - - - RECEIVE

    2011-07-04 15:56:56 DROP UDP 208.67.222.222 192.168.0.10 53 35366 245 - - - - - - - RECEIVE

    2011-07-04 15:56:56 DROP UDP 208.67.222.222 192.168.0.10 53 35366 245 - - - - - - - RECEIVE

    2011-07-04 15:56:59 DROP UDP 8.8.8.8 192.168.0.10 53 44508 321 - - - - - - - RECEIVE

    2011-07-04 15:56:59 DROP UDP 8.8.8.8 192.168.0.10 53 44508 321 - - - - - - - RECEIVE

    2011-07-04 15:56:59 DROP UDP 8.8.8.8 192.168.0.10 53 44508 321 - - - - - - - RECEIVE

    2011-07-04 15:56:59 DROP UDP 208.67.222.222 192.168.0.10 53 44508 273 - - - - - - - RECEIVE

    2011-07-04 15:56:59 DROP UDP 8.8.4.4 192.168.0.10 53 44508 273 - - - - - - - RECEIVE

    2011-07-04 15:56:59 DROP UDP 208.67.222.222 192.168.0.10 53 44508 273 - - - - - - - RECEIVE

    2011-07-04 15:56:59 DROP UDP 8.8.4.4 192.168.0.10 53 44508 273 - - - - - - - RECEIVE

    2011-07-04 15:56:59 DROP UDP 208.67.222.222 192.168.0.10 53 44508 273 - - - - - - - RECEIVE

    2011-07-04 15:56:59 DROP UDP 8.8.4.4 192.168.0.10 53 44508 273 - - - - - - - RECEIVE

     

    This is not all of it, just an example how Windows Firewall can suddenly decide to drop ALL my DNS packets resulting in impossible network use.

     

    Monday, July 4, 2011 1:03 PM
  • Hi,

     

    I would like to know if you made any changes before the issue occurring. What is your connection type? Where is your location?

     

    Regarding the issue, I suggest you refer to the following methods for testing.

     

    1. Reinstall the network adapter driver from manufacture's site

    2. Disable or reset Windows Firewall.

    3. Check if any router is used. If so, update firmware and reset it.

     

    Also please help me collect the following information for further research. Open CMD with administrator privileges and try the following commands, then paste the result here.

     

    nslookup

    server 8.8.4.4

    technet.microsoft.com

     

    Best Regards,

    Niki


    Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, July 6, 2011 2:21 AM
    Moderator
  • I have not made any changes, not run any "optimizer" (learned my lesson about the reality of these a long time ago). Connection is 100 Mb/s cable with effective throughput varying between 3-9 MB/s.

     

    Well it is obvious that the firewall cannot drop packets any more if it's disabled, right? Just did "Restore default policy" for Windows Firewall, will continue observing the situation. Reinstalling driver will have to wait there is no possibility for that now this machine is in production use. Router is brand new (less than 3 months old) but don't think it can be router problem, because this did not happen from the start, only for some last 2 weeks, router settings have not been tampered with since they were set up (and just re-checked, there is nothing regarding DNS packets there, just plain vanilla setup). Unfortunately cannot recall anything done in the last 2-3 weeks that would have affected the adapter/connection/dns.

     

     

    > server 8.8.4.4

    Default Server:  google-public-dns-b.google.com

    Address:  8.8.4.4

     

    > technet.microsoft.com

    Server:  google-public-dns-b.google.com

    Address:  8.8.4.4

     

    Non-authoritative answer:

    Name:    technet.microsoft.akadns.net

    Address:  65.55.11.240

    Aliases:  technet.microsoft.com

     

     

    So yet this far the source of the problem remains a mystery. Will try to keep this topic posted when more information. What i would like to know if there is possibility to relax DNS query timings for heavily used connections?

     


    Wednesday, July 6, 2011 8:11 AM
  • Hi,

     

    The DNS result is normal. Please check if there is any proxy used through Internet Explorer. How about other computers in the same network?

     

    Clear proxy

    ---------------

    a. Open "Internet Explorer" -> Under "Tools" -> select "Internet Options" -> Click on the "Connections" tab -> Click "LAN Settings".

    b. uncheck any option in this windows.

    c. Click "Start" ->type cmd in search box -> right click cmd and run as administrator.

    d. type the following command:

     

    proxycfg –d

     

    Also use ipconfig /all command and paste the result here.

     

    Best Regards,

    Niki


    Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, July 18, 2011 9:56 AM
    Moderator
  • There is no proxy, settings were as you suggested already (no boxes ticked), command "proxycfg" is not found (Win 7 x64 Ultimate) (i have never ever used a proxy).

    I'm sorry but i'm unwilling to paste the results of ipconfig /all for privacy reasons. Howvever there is nothing out of ordinary, dhcp server, obtained ipv4 address, default gateway, 2 assigned dns servers, netbios over tcpip:enabled.

     

    Monday, July 18, 2011 3:05 PM
  • Hi,

    There isn't the way to increase DNS query timeout value. There is only the way to increase the timeout value for nslookup. From the description, you have tried to restore default policy for windows firewall. What the result of it? Does windows firewall still drop the packets after that?

    Best Regards,

    Scott Xie

    Tuesday, July 19, 2011 8:49 AM
  • Yes it's still happening after firewall policy reset and always in batches, most often several dropped packets at a time. Actually i got so frustrated by this that this is now a completely new clean Windows 7 x64 Ultimate install with only updates and SP1 applied, and the problem still persists. So who knows how long this has been happening (always?), it's just i have only now woken up to it after analyzing firewall logs in detail after experiencing excessive browsing difficulties (unresolved dns) during heavy network utilization.

    Sent from dns server port 53 (the real dns server ip's obtained from dhcp, not a case  of attempted dns cache poisoning), to random numbered udp port (high port, seems to be always >50k) on this machine. 

    Hmm that makes me think, could it be possible that Windows default firewall rules only allow incoming dns to local port 53, or only to Window's own dns handler? These dns queries are probably sent by the Chrome browser, at least the high udp  port makes me suspect so.

    But even then that shouldn't happen, because like originally stated,

    "created an extra incoming rule permitting ALL remote (any address) port 53 (remote:53, local:any) UDP traffic in" -- yet that didn't help at all. (sorry don't remember whether edge traversal was allowed here or not)

    My firewall logfile is now set at 16 MB in size and goes back 4 days, and there's 168 cases of dropped dns packet in that time, even though my network has been only very lightly utilized in this time (no sustained peaks anywhere near max capacity).

    Testing a new hypothesis now: that these packets are dropped because Windows Firewall thinks they are unsolicited edge traversal packets. Created new  firewall rules allowing all packets in to Chrome with edge traversal allowed. Next few days will show if this has any effect.


    Tuesday, July 19, 2011 12:05 PM
  • I can confirm I am seeing the same issue with Win 7 Ent x86 SP1 with default domain firewall ruleset active.

    For me the issue is causing problems with Citrix AGEE plugin (VPN client) on very slow GPRS networks. It doesn't seem to be much of an issue if the connection is good, but I would expect the behaviour to be the same.

    I will do some more analysis & report back my findings.

    Thanks


    Douks
    Saturday, July 23, 2011 7:05 PM
  • Creating an edge travelsal allow rule (for Chrome) did not help: 73 dropped DNS packets in last 4 days:

    UDP: Remote 53 -> Local high port (>50k)

    Thank you for being able to confirm this, Douks, it's good to know i'm not the only one affected/noticing.

     

    Monday, July 25, 2011 8:34 AM
  • Hi,

    In this scenario, we may have to capture network monitor trace and MPS reports to analysis. I am afraid that your issue falls into the paid support category which requires a more in-depth level of support.  Please visit the below link to see the various paid support options that are available to better meet your needs. http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone

    Best Regards,

    Scott Xie

    Saturday, July 30, 2011 4:16 AM