Randy Bell Premium Member join:2002-02-24 Santa Clara, CA |
Why Did ZoneAlarm Change Settings?Refer to my screen shots. The first picture is from ZAP 2.6.362, showing the default settings for the internet zone. The second picture is from ZAP 3.0.118, showing the default settings for the internet zone. Note that in the second picture, "outgoing DNS (UDP port 53)" is checked, whereas it's unchecked in the first picture. Now, I KNOW these are the default settings, because I never changed my settings from the defaults when running these two versions of ZoneAlarm. I just installed ZAP 3.0.118, and I was using ZAP 2.6.362 for a long time. Why did ZoneLabs change the default setting for outgoing DNS? Is this a more secure, or less secure, setting? |
|
Vampirefo Premium Member join:2000-12-11 Huntington, WV |
Vampirefo
Premium Member
2002-May-14 12:08 pm
I don't use ZAP, But I would say it's more secure, The option was always there but the new version simply took the choice out of the users hand, and automatically checked it for the user. |
|
Zupe MVM join:2001-11-29 New York, NY |
to Randy Bell
I don't use ZoneAlarm either, so this may be a stupid question, but in the previous version, if "Allow Outgoing DNS" wasn't checked or allowed out to your DNS Servers elsewhere, how exactly did DNS name resolving take place? To me, it would seem that you'd always need this setting unless you were allowing the DNS servers elsewhere as a trusted address, wouldn't you? |
|
Randy Bell Premium Member join:2002-02-24 Santa Clara, CA |
said by Zupe: To me, it would seem that you'd always need this setting unless you were allowing the DNS servers elsewhere as a trusted address, wouldn't you?
Zupe, I understand what you're saying, but my internet access and surfing worked under the old version, and I never had "allow outgoing DNS" checked -- as I said, I never changed from the default settings, in either version. I understand from Judgedredd that many here at DSLReports have "shot down in flames" (as he put it) the notion of placing your DNS servers in the trusted zone. One ZA user here at DSLR reported that he was losing his connection, after leaving his computer unattended for a period of time (I think, while he was at work). Judgedredd suggested that he check "allow outgoing DNS", and that fixed his problem of getting disconnected. I have a home network, and ZAP 2.6.362 (the older version) was running on my gateway computer using internet connection sharing (ICS). I noticed on one of my clients that internet surfing would stall/stop, as if the client computer was somehow losing its connection to the internet. Corresponding to that were alerts in ZAP's alert panel, indicating that DNS replies had been blocked. The explanation for this was, the DNS replies were taking too long, causing ZAP to time out, even though the ICS software running on my gateway machine had NOT timed out. My solution was to place the DNS servers in the trusted zone, so that the late DNS replies to my client computer would not be blocked. But that solution was less than ideal, since as Judgedredd said, it has been shot down here at DSLReports. Nevertheless it did fix my problem, and internet surfing on my client computers did not stall/stop anymore. However, that solution was to prevent blockage of late INCOMING DNS responses, not outgoing DNS queries. Even though I resorted to placing the DNS servers in the trusted zone, that was to correct a problem with my CLIENT'S internet access stalling/stopping, but not with my GATEWAY internet access, which worked fine before I did that. So, this change in ZA's default settings remains a mystery to me . |
|
Randy Bell |
The only other thing I can think of is, maybe ZAP 2.6.362 (the old version) automatically detected DNS servers from your network settings, and allowed for outgoing DNS (UDP port 53) only for those servers and nothing else?
Maybe other people had similar problems to the DSLR poster I mentioned, with becoming disconnected from the internet? Possibly that could be because they had dynamic DNS servers that changed from one session to the next, and ZAP didn't detect the change?
Possibly then, ZoneLabs decided in the new version to just allow all outgoing communication on UDP port 53, to fix the problem people were having with dynamic DNS servers? This seems to me to be a less secure solution, but one born from compromise with the need to maintain communication with dynamic DNS servers?
Jamming or Judgedredd, you both are veteran ZAP users. Help me out here: am I just grasping at straws, or is there a plausible explanation for the change in settings? |
|
Jamming777$Time Is Running Out Premium Member join:2001-07-25 USA
|
said by Randy Bell:
Jamming or Judgedredd, you both are veteran ZAP users. Help me out here: am I just grasping at straws, or is there a plausible explanation for the change in settings?
OK, I believe without a lot of review that you are correct that this is a fix to allow communication with Dynamic DNS Servers. However, I would like to get a more official answer so I am referring this to Zone_Labs through my and other's Team Z Connection. I am not satisfied with my own understanding of this issue to feel completely confidant of my answer. |
|
Jamming777$
|
to Randy Bell
said by Zonelabs Support: Yes, due to security considerations (is my understanding), effective with 2.6.362 both ZA and ZAP no longer had outbound DHCP and DNS allowed by default.
The problem was : ZA users had *no* way to fix it. The only way to allow more access was to add the DNS servers to the trusted Local Zone.
ZAP users had the option to REcheck the box - it was in Internet Zone Advanced settings. Many users did not have to change the setting, but quite a few did.
While I agree you should not give anything more access than it absolutely requires, when it comes to the ISP, I think you need to be willing to trust it a bit further than other Internet servers. In this case, if you see DHCP alerts and it affects your access, then give the DHCP server more access by checking that box - if it continues with alerts, then add it to the trusted local zone. Same goes for DNS.
BUT... if it's not affecting your access, then I would certainly not give it any more access.
This is what I was told and it makes since to me, the reason was to allow ZA_Free to be more open to prevent it from locking up on those who need access to DNS and DHCP assignments for their ISP. Still allowing the choice for ZAP to specify more complete protection, if that is the user's desire. |
|
Hutchy Premium Member join:2000-10-14 australia430
|
to Randy Bell
Here's how my one looks. Default settings. I would presume that ZAP has detected you're network & you're running ics. And it has configured itself to allow you're machine to send dns to all the other computers on you're network. I would strongly advise you add the network addresses, to you're trusted zone. I would also advise you to add you're ISP's DNS servers as well. I have been getting a lot of DNS probes lately and ZAP has blocked all the one that do not match my trusted and Internet Zone ip addresses |
|
Randy Bell Premium Member join:2002-02-24 Santa Clara, CA |
said by Judgedredd: Here's how my one looks. Default settings. I would presume that ZAP has detected you're network & you're running ics. And it has configured itself to allow you're machine to send dns to all the other computers on you're network. I would strongly advise you add the network addresses, to you're trusted zone.
That might be right; so you're saying that my default setting differed from yours because I'm running ICS? said by Judgedredd: I would also advise you to add you're ISP's DNS servers as well. I have been getting a lot of DNS probes lately and ZAP has blocked all the one that do not match my trusted and Internet Zone ip addresses.
But this contradicts what you told me earlier, that the idea of adding the DNS servers to the trusted zone had been "shot down in flames" here at dslreports, to use your words. No problem, though -- because since my last post to this thread I've returned to my original ZAP 2.6.362, with the same settings as before. And with that configuration, I DID have the DNS servers in the trusted zone, to fix a problem with my clients getting disconnected because of late DNS returns. It will be interesting to hear the answer you get back from ZoneLabs. This is really confusing, isn't it? Different default "outgoing DNS" settings for two different people running the same version 3.0.118 of ZoneAlarm Pro. |
|
Jamming777$Time Is Running Out Premium Member join:2001-07-25 USA |
to Randy Bell
I also received this later from Zone_Labs as an explanation and how to alter the settings correctly: quote:
The current versions of ZA/ZAP blocks outgoing DNS on port 53, and on ZAP only, also outgoing DHCP on port 67 by default. You may find that in order to gain access to the internet, or to use ICS (Internet Connection Sharing), you need to enable both of these.
For ZA users : Check your alerts, this should give you the IP addresses of the DNS servers. Try adding those servers to your trusted Local Zone.
For ZAP 2.6 users : Go to the Security, Advanced, Internet Zone Custom Settings tab. Place a check mark next to 'Allow outgoing DNS (port 53)'. If you have received any DHCP alerts, also check the box next to 'Allow outgoing DHCP (UDP port 67)'. These will be the first two options in the list.
For ZAP 3.0 users : Go to the Firewall, Main, Internet Zone Security, and click Advanced. Place a check mark next to 'Allow outgoing DNS (port 53)'. If you have received any DHCP alerts, also check the box next to 'Allow outgoing DHCP (UDP port 67)'. These will be the first two options in the list.
Close ZA/ZAP then reboot your computer.
It still does not explain everything you experienced but it does fill in some suppositions. |
|
Randy Bell Premium Member join:2002-02-24 Santa Clara, CA
|
Thanks Jamming, if ZAP 3.0 didn't change the "outgoing DNS" setting to allow for dynamic DNS servers, the other plausible explanation is Judgedredd's suggestion, that when I configured ZAP 3.0 for ICS, it defaulted to ALLOW "outgoing DNS" for my configuration. Internet sharing was working fine while I had ZAP 3.0.118 running on my ICS gateway; I thoroughly tested it on my clients, no problems. Since returning to ZAP 2.6.362, I have my old settings back, where "outgoing DNS (UDP port 53)" is denied on the gateway computer, but the DNS servers of my ISP are entered in the Local Zone, to avoid the prior problem of my client computers getting disconnected. Works great!! This was a mystery to me, that I wanted to post here, to see what the ZoneAlarm gurus like yourself and Judgedredd had to say . I'm satisfied now that it probably has to do with ICS, and how the different versions of ZAPro default to different settings on computers running ICS. Thanks for your contributions to this thread!! Thanks to Judgedredd too!! [text was edited by author 2002-05-15 23:11:56] |
|
Jamming777$Time Is Running Out Premium Member join:2001-07-25 USA |
I think Judgedredd is probably correct in that the firewall application detected what you were running and chose the default setting based upon what applications.....then I began thinking what are your choices with the Advance Button on the Firewall Page, these are mine. |
|
|
to Randy Bell
I have ZAP 3.0.18 and mine is not checked, but I do not use ICS. I have IDSL with dynamic IP. After reading thru all of this tho I am going to check it and re-boot as suggested. That may change some of the blocked outgoing that I use and save me from putting each one in separately. |
|
Randy Bell Premium Member join:2002-02-24 Santa Clara, CA |
to Jamming777$
said by Jamming777: I think Judgedredd is probably correct in that the firewall application detected what you were running and chose the default setting based upon what applications.....then I began thinking what are your choices with the Advance Button on the Firewall Page, these are mine.
As I said to Judgedredd, since starting this thread, I have gone back to ZAP 2.6.362, and here are its settings, which were essentially the same in ZAP 3.0.118 also. With both versions, when you walk through the installation tutorial, it gives you a chance to specify that you are on an ICS gateway -- you just need to say YES, and then enter the address of your ICS gateway, and you're done. That's all I did when installing either version. |
|
Jamming777$Time Is Running Out Premium Member join:2001-07-25 USA |
to Randy Bell
Well at least it explains why yours and mine are different. You have ICS and I do not. |
|
Randy Bell Premium Member join:2002-02-24 Santa Clara, CA |
said by Jamming777: Well at least it explains why yours and mine are different. You have ICS and I do not.
Yes under both versions (see my screen shots in the first post of this thread), I was running ICS on this gateway computer. Actually, I've been running ICS for a couple years now, with a home network. I wish I could get ZAP 3.0.118 to run well on my system. I'm running Win98SE on this gateway computer. My two clients run Win98SE and Win95C, respectively. Three times I've tried ZAP 3.0, and every time I've decided to return to ZAP 2.6.362. Component control in ZAP 3.0 consumes too many resources and adds to bootup time -- makes ZAP 3.0 downright noisy when it boots up, looking all over your drives for components. Also, I use AdSubtract Pro for privacy, so I always ran ZAP 3.0 with the privacy features disabled. I figure that, if I'm going to disable component control and privacy features, then there's no real advantage to running ZAP 3.0 on my system right now. ZAP 2.6.362 does just as good a job, and without consuming so many resources. I still hope that I can upgrade ZAP at a later date. I had one other annoying issue, with the auto-hide feature of the taskbar not working properly with ZAP 3.0 running. Until I get a new monitor, I like the extra viewing space available when I hide my taskbar. It just isn't worth it to me, to continue with ZAP 3.0 at this time. I did make a backup of my internet logs files for ZAP 3.0, so I won't have to start from scratch in case I change my mind again and decide to reinstall ZAP 3.0. |
|