Windows 7 64bit Firewall drops incoming DNS udp packets
For several days it has seemed like DNS is failing with no responses (web pages don't load, even ping cannot resolve address). But my surprise was great when i found out that the actual culprit is windows own firewall:
2011-07-02 16:54:30 DROP UDP 8.8.4.4 192.168.0.10 53 50188 104 - - - - - - - RECEIVE
2011-07-02 16:54:31 DROP UDP 8.8.4.4 192.168.0.10 53 54141 74 - - - - - - - RECEIVE
Why is this happening? I have tried with several DNS servers: my ISP's DHCP addresses (both automatic and manual), Google DNS (currently selected), OpenDNS. No matter which one i use, the resulting log entries look like above.
I have no idea what's causing this except a hunch about my connection's laggyness, could it be that the DNS query somehow times out, and that's why windows firewall doesn't permit it back in?
BUT, even that shouldn't theoretically happen because i have created an extra incoming rule permitting ALL remote (any address) port 53 (remote:53, local:any) UDP traffic in! And this is why i am exceptionally puzzled.
I have observed dns traffic with NetMon for clues but nothing special has popped out. I am not a DNS or networking pro so i don't know what to be on the lookout for.
Edit: only strangeness is that browser seems to be re-querying DNS for stuff that should already be well known like *.facebook.com etc. But this is not just a browser problem but all net is affected.
Edit: Just got DNS timeouts on nslookup, timeout was 2 seconds. Increased it to 10 seconds, still nothing didn't happen on the first try, only second try brought results - however there are no dropped packets in firewall log. Does this mean i'm suffering
from extremely laggy connection? Is there a way to increase DNS timeout for the whole system?
Edit: NetMon shows 3 requests sent, 0 received. Firewall log shows 0 dropped.
July 2nd, 2011 10:30am
So... is it possible to relax DNS timings somewhere? Or what can i do. This only happens with higher network load, however not anywhere near max capacity (only 40-60 MB/s on a GB ethernet). Is the Windows Firewall flakey? I don't think it should never ever
do that.
Free Windows Admin Tool Kit Click here and download it now
July 3rd, 2011 4:40pm
Here it's happening again on a massive scale, and interestingly both my network and workstation are very lightly loaded (cpu <20%, network <1%, no mentionable disk IO):
2011-07-04 15:56:56 DROP UDP 8.8.8.8 192.168.0.10 53 35366 229 - - - - - - - RECEIVE
2011-07-04 15:56:56 DROP UDP 8.8.4.4 192.168.0.10 53 35366 245 - - - - - - - RECEIVE
2011-07-04 15:56:56 DROP UDP 8.8.8.8 192.168.0.10 53 35366 229 - - - - - - - RECEIVE
2011-07-04 15:56:56 DROP UDP 8.8.4.4 192.168.0.10 53 35366 245 - - - - - - - RECEIVE
2011-07-04 15:56:56 DROP UDP 8.8.8.8 192.168.0.10 53 35366 229 - - - - - - - RECEIVE
2011-07-04 15:56:56 DROP UDP 8.8.4.4 192.168.0.10 53 35366 245 - - - - - - - RECEIVE
2011-07-04 15:56:56 DROP UDP 208.67.222.222 192.168.0.10 53 35366 245 - - - - - - - RECEIVE
2011-07-04 15:56:56 DROP UDP 208.67.222.222 192.168.0.10 53 35366 245 - - - - - - - RECEIVE
2011-07-04 15:56:56 DROP UDP 208.67.222.222 192.168.0.10 53 35366 245 - - - - - - - RECEIVE
2011-07-04 15:56:59 DROP UDP 8.8.8.8 192.168.0.10 53 44508 321 - - - - - - - RECEIVE
2011-07-04 15:56:59 DROP UDP 8.8.8.8 192.168.0.10 53 44508 321 - - - - - - - RECEIVE
2011-07-04 15:56:59 DROP UDP 8.8.8.8 192.168.0.10 53 44508 321 - - - - - - - RECEIVE
2011-07-04 15:56:59 DROP UDP 208.67.222.222 192.168.0.10 53 44508 273 - - - - - - - RECEIVE
2011-07-04 15:56:59 DROP UDP 8.8.4.4 192.168.0.10 53 44508 273 - - - - - - - RECEIVE
2011-07-04 15:56:59 DROP UDP 208.67.222.222 192.168.0.10 53 44508 273 - - - - - - - RECEIVE
2011-07-04 15:56:59 DROP UDP 8.8.4.4 192.168.0.10 53 44508 273 - - - - - - - RECEIVE
2011-07-04 15:56:59 DROP UDP 208.67.222.222 192.168.0.10 53 44508 273 - - - - - - - RECEIVE
2011-07-04 15:56:59 DROP UDP 8.8.4.4 192.168.0.10 53 44508 273 - - - - - - - RECEIVE
This is not all of it, just an example how Windows Firewall can suddenly decide to drop ALL my DNS packets resulting in impossible network use.
July 4th, 2011 9:06am
Hi,
I would like to know if you made any changes before the issue occurring. What is your connection type? Where is your location?
Regarding the issue, I suggest you refer to the following methods for testing.
1. Reinstall the network adapter driver from manufacture's site
2. Disable or reset Windows Firewall.
3. Check if any router is used. If so, update firmware and reset it.
Also please help me collect the following information for further research. Open CMD with administrator privileges and try the following commands, then paste the result
here.
nslookup
server 8.8.4.4
technet.microsoft.com
Best Regards,
Niki
Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 5th, 2011 10:24pm
I have not made any changes, not run any "optimizer" (learned my lesson about the reality of these a long time ago). Connection is 100 Mb/s cable with effective throughput varying between 3-9 MB/s.
Well it is obvious that the firewall cannot drop packets any more if it's disabled, right? Just did "Restore default policy" for Windows Firewall, will continue observing the situation. Reinstalling driver will have to wait there is no possibility for that
now this machine is in production use. Router is brand new (less than 3 months old) but don't think it can be router problem, because this did not happen from the start, only for some last 2 weeks, router settings have not been tampered with since they were
set up (and just re-checked, there is nothing regarding DNS packets there, just plain vanilla setup). Unfortunately cannot recall anything done in the last 2-3 weeks that would have affected the adapter/connection/dns.
> server 8.8.4.4
Default Server: google-public-dns-b.google.com
Address: 8.8.4.4
> technet.microsoft.com
Server: google-public-dns-b.google.com
Address: 8.8.4.4
Non-authoritative answer:
Name: technet.microsoft.akadns.net
Address: 65.55.11.240
Aliases: technet.microsoft.com
So yet this far the source of the problem remains a mystery. Will try to keep this topic posted when more information. What i would like to know if there is possibility to relax DNS query timings for heavily used connections?
July 6th, 2011 4:14am