Closed
Bug 238217
Opened 20 years ago
Closed 20 years ago
Windows Firewall from SP2 preview kills DNS lookups
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: elreydetodo, Assigned: bugzilla)
Details
Attachments
(2 files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040321 Firefox/0.8.0+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040321 Firefox/0.8.0+ After installing the Windows XP Service Pack 2 technical preview, I noticed that many of my DNS lookups in Firefox were failing. After some checking I determined that the reason is that the new Windows Firewall blocks all ICMP traffic by default and it seems that Firefox relies more on ICMP responses than it probably should. None of my other applications are affected by this (i.e. Internet Explorer and eMule and AIM), but Thunderbird also is. To fix the problem all you need to do is enable ICMP traffic, but telling new users they need to modify their firewall settings is not really a good solution to the problem. I havn't checked to see which ICMP type is actually causing the problem, I just enabled all of them. This is something that will need to be fixed before the final release of SP2 if possible to prevent confusion. information about Windows XP Service Pack 2 Technical Preview can be found here: http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx Reproducible: Sometimes Steps to Reproduce: 1. Install WinXP SP2 preview 2. Open Firefox and tell the firewall to allow the program to connect 3. Begin browsing sites (bugzilla.mozilla.org didn't work for me) Actual Results: DNS lookup fails. Expected Results: DNS lookup should succeed and page should load.
Comment 1•20 years ago
|
||
Can anyone please check whether Mozilla1.7b is affected, too ? If yes this issue should block mozilla1.7.
Comment 2•20 years ago
|
||
on WinXP, mozilla is simply calling getaddrinfo. reporter: i know this may sound odd, but do you have IPv6 enabled on your system?
Comment 3•20 years ago
|
||
Martin, how long does it take before the DNS lookup fails? Does it fail
immediately or does it time out?
Also, can you try to compile and run the C program in attachment 142115 [details], which
mimics Mozilla's name lookups from the command line? It should aid in debugging.
If it doesn't compile cleanly, change:
hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
to
hints.ai_flags = AI_CANONNAME;
If you don't have a compiler I can provide a compiled version if you like.
Reporter | ||
Comment 4•20 years ago
|
||
I think I might need a compiled version if you can provide one. Also, does anyone know how I can clear my computer's DNS cache? It's difficult to find another site that has this problem becasue once I've successfully visited the site it is no longer affected by the problem. I tried to determine which ICMP type needed to be enabled, but it seems to take several minutes for the firewall settings to take effect and so I'm not sure which one actually made it work properly. Would it help if I sent a list of all the types on the list? Timeouts on the lookups seem to take about 15 seconds I think. This is just an estimation. It seems like the program is not receiving a response from the DNS server. I have had this problem loading these pages so far: www.microsoft.com bugzilla.mozilla.org pinzon.admin.wpi.edu www.jdennis.net
Comment 5•20 years ago
|
||
(In reply to comment #4) > I think I might need a compiled version if you can provide one. I would send it to you now, but my Windows box seems to be dead so I can't. > Also, does anyone know how I can clear my computer's DNS cache? Try ipconfig /flushdns . Or try stopping the DNS cache altogether with net stop dnscache. > I tried to determine which ICMP type needed to be enabled, but it seems > to take several minutes for the firewall settings to take effect and so > I'm not sure which one actually made it work properly. You could try downloading Ethereal for Windows ( http://www.ethereal.com/ ) and creating a packet dump. If you post it here or mail it to me I can try to see exactly what is going wrong. > I have had this problem loading these pages so far: > www.microsoft.com > bugzilla.mozilla.org > pinzon.admin.wpi.edu > www.jdennis.net When I post the .exe, can you try it on these sites after a clean boot and see what happens? Also try it on sites that /do/ work so we can see the difference.
Comment 6•20 years ago
|
||
Comment 7•20 years ago
|
||
This test program will call getaddrinfo() on the host specified on the command line and output the results. It should work in the same way as mozilla's name lookup code. Reporter, can you run this on a few working and a few non-working sites and let me know how it behaves?
Reporter | ||
Comment 8•20 years ago
|
||
I'm afraid I can't find anymore sites that won't load. Several Windows Updates have been installed since I reported this bug; I uninstalled them hoping to revert to the original SP2 configuration but with no luck. Here's what I have tried: - All updates I had installed for SP2 have been removed - I have flushed my DNS cache and turned off (temporarily after each reboot) DNS caching service - I have tried to get ethereal working but it can't seem to list my network adapters (insufficient memory? I think not) - All types of ICMP are unselected (not allowed) in my Windows Firewall config With all these things DNS is succeeding with every lookup now. If this was something fixed by a Windows Update then I don't think it's anything to worry about as that update will probably be included with the final release. If not, I can't seem to recreate the problem short of uninstalling SP2 and reinstalling it again. That seemed to work with all prior betas of SP2 (I uninstalled 2 of them becasue they made my computer unstable and this problem came back each time I tried a new beta release). Has anyone else tried the SP2 Tech Preview? I'm curious to know if anyone else has possibly seen this problem. I should also point out that the DNS lookups may have been cached by either my broadband router or my ISP's DNS server, both of which are in the line of my DNS lookups. I don't know how long it will take for DNS caches there to expire. For now I think we should leave this as unconfirmed unless someone wants to volunteer to install SP2. Otherwise I'll just wait a few days and see if I can reproduce the problem ever again.
Reporter | ||
Comment 9•20 years ago
|
||
Well, it didn't take too long. Based on this set of tests it seems that this problem should plague everything which uses the Windows DNS lookup call. Both ping and Internet Explorer failed to look up cgi2.ebay.com and www.weatherunderground.com until I enabled ICMP again, so Microsoft will probably have to fix whatever is wrong as it doesn't seem to be a Firefox issue. This bug should probably be changed to WONTFIX. -- BEGIN SCRIPT -- C:\Documents and Settings\Martin Meyer\Desktop>test-gai-canon cgi2.ebay.com Unknown host cgi2.ebay.com C:\Documents and Settings\Martin Meyer\Desktop>ping cgi2.ebay.com Ping request could not find host cgi2.ebay.com. Please check the name and try ag ain. C:\Documents and Settings\Martin Meyer\Desktop>nslookup *** Can't find server name for address 192.168.0.1: Non-existent domain *** Default servers are not available Default Server: UnKnown Address: 192.168.0.1 > cgi2.ebay.com Server: UnKnown Address: 192.168.0.1 Non-authoritative answer: Name: cgi2.ebay.com Addresses: 66.135.194.30, 66.135.210.28, 66.135.210.30, 66.135.194.28 > exit C:\Documents and Settings\Martin Meyer\Desktop>ping cgi2.ebay.com Ping request could not find host cgi2.ebay.com. Please check the name and try ag ain. -- END SCRIPT --
Comment 10•20 years ago
|
||
It's probably a problem specific to your network. For example, if (unlikely) you depend on ICMP redirects to reach your nameserver, blocking them will stop lookups from working. There can be many issues with blocking ICMP packets, like MTU problems and, etc. etc. I suggest you run Ethereal and see why these ICMP packets are being generated. I can help you with this if you like. Resolving INVALID since it's not a bug in mozilla.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•