Windows Firewall from SP2 preview kills DNS lookups

RESOLVED INVALID

Status

()

Firefox
General
RESOLVED INVALID
15 years ago
10 years ago

People

(Reporter: Martin Meyer, Assigned: Blake Ross)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

15 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040321 Firefox/0.8.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040321 Firefox/0.8.0+

After installing the Windows XP Service Pack 2 technical preview, I noticed that
many of my DNS lookups in Firefox were failing.  After some checking I
determined that the reason is that the new Windows Firewall blocks all ICMP
traffic by default and it seems that Firefox relies more on ICMP responses than
it probably should.

None of my other applications are affected by this (i.e. Internet Explorer and
eMule and AIM), but Thunderbird also is.

To fix the problem all you need to do is enable ICMP traffic, but telling new
users they need to modify their firewall settings is not really a good solution
to the problem.

I havn't checked to see which ICMP type is actually causing the problem, I just
enabled all of them.  This is something that will need to be fixed before the
final release of SP2 if possible to prevent confusion.

information about Windows XP Service Pack 2 Technical Preview can be found here:
http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx

Reproducible: Sometimes
Steps to Reproduce:
1. Install WinXP SP2 preview
2. Open Firefox and tell the firewall to allow the program to connect
3. Begin browsing sites (bugzilla.mozilla.org didn't work for me)

Actual Results:  
DNS lookup fails.

Expected Results:  
DNS lookup should succeed and page should load.

Comment 1

15 years ago
Can anyone please check whether Mozilla1.7b is affected, too ? If yes this issue
should block mozilla1.7.

Comment 2

15 years ago
on WinXP, mozilla is simply calling getaddrinfo.

reporter: i know this may sound odd, but do you have IPv6 enabled on your system?

Comment 3

14 years ago
Martin, how long does it take before the DNS lookup fails? Does it fail
immediately or does it time out?

Also, can you try to compile and run the C program in attachment 142115 [details], which
mimics Mozilla's name lookups from the command line? It should aid in debugging.
If it doesn't compile cleanly, change:

hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;

to

hints.ai_flags = AI_CANONNAME;

If you don't have a compiler I can provide a compiled version if you like.
(Reporter)

Comment 4

14 years ago
I think I might need a compiled version if you can provide one.  Also, does
anyone know how I can clear my computer's DNS cache?  It's difficult to find
another site that has this problem becasue once I've successfully visited the
site it is no longer affected by the problem.  I tried to determine which ICMP
type needed to be enabled, but it seems to take several minutes for the firewall
settings to take effect and so I'm not sure which one actually made it work
properly.  Would it help if I sent a list of all the types on the list?

Timeouts on the lookups seem to take about 15 seconds I think.  This is just an
estimation.  It seems like the program is not receiving a response from the DNS
server.

I have had this problem loading these pages so far:
www.microsoft.com
bugzilla.mozilla.org
pinzon.admin.wpi.edu
www.jdennis.net

Comment 5

14 years ago
(In reply to comment #4)
> I think I might need a compiled version if you can provide one.

I would send it to you now, but my Windows box seems to be dead so I can't.

> Also, does anyone know how I can clear my computer's DNS cache?

Try ipconfig /flushdns . Or try stopping the DNS cache altogether with net stop
dnscache.

> I tried to determine which ICMP type needed to be enabled, but it seems
> to take several minutes for the firewall settings to take effect and so
> I'm not sure which one actually made it work properly.

You could try downloading Ethereal for Windows ( http://www.ethereal.com/ ) and
creating a packet dump. If you post it here or mail it to me I can try to see
exactly what is going wrong.

> I have had this problem loading these pages so far:
> www.microsoft.com
> bugzilla.mozilla.org
> pinzon.admin.wpi.edu
> www.jdennis.net

When I post the .exe, can you try it on these sites after a clean boot and see
what happens? Also try it on sites that /do/ work so we can see the difference.

Comment 6

14 years ago
Created attachment 144559 [details]
Test program source (windows-only)

Comment 7

14 years ago
Created attachment 144561 [details]
Test program compiled for Windows

This test program will call getaddrinfo() on the host specified on the command
line and output the results. It should work in the same way as mozilla's name
lookup code.

Reporter, can you run this on a few working and a few non-working sites and let
me know how it behaves?
(Reporter)

Comment 8

14 years ago
I'm afraid I can't find anymore sites that won't load.  Several Windows Updates
have been installed since I reported this bug; I uninstalled them hoping to
revert to the original SP2 configuration but with no luck.

Here's what I have tried:

- All updates I had installed for SP2 have been removed
- I have flushed my DNS cache and turned off (temporarily after each reboot) DNS
caching service
- I have tried to get ethereal working but it can't seem to list my network
adapters (insufficient memory? I think not)
- All types of ICMP are unselected (not allowed) in my Windows Firewall config

With all these things DNS is succeeding with every lookup now.  If this was
something fixed by a Windows Update then I don't think it's anything to worry
about as that update will probably be included with the final release.  If not,
I can't seem to recreate the problem short of uninstalling SP2 and reinstalling
it again.  That seemed to work with all prior betas of SP2 (I uninstalled 2 of
them becasue they made my computer unstable and this problem came back each time
I tried a new beta release).

Has anyone else tried the SP2 Tech Preview?  I'm curious to know if anyone else
has possibly seen this problem.  I should also point out that the DNS lookups
may have been cached by either my broadband router or my ISP's DNS server, both
of which are in the line of my DNS lookups.  I don't know how long it will take
for DNS caches there to expire.

For now I think we should leave this as unconfirmed unless someone wants to
volunteer to install SP2.  Otherwise I'll just wait a few days and see if I can
reproduce the problem ever again.
(Reporter)

Comment 9

14 years ago
Well, it didn't take too long.  Based on this set of tests it seems that this
problem should plague everything which uses the Windows DNS lookup call.  Both
ping and Internet Explorer failed to look up cgi2.ebay.com and
www.weatherunderground.com until I enabled ICMP again, so Microsoft will
probably have to fix whatever is wrong as it doesn't seem to be a Firefox issue.

This bug should probably be changed to WONTFIX.

-- BEGIN SCRIPT --

C:\Documents and Settings\Martin Meyer\Desktop>test-gai-canon cgi2.ebay.com
Unknown host cgi2.ebay.com

C:\Documents and Settings\Martin Meyer\Desktop>ping cgi2.ebay.com
Ping request could not find host cgi2.ebay.com. Please check the name and try ag
ain.

C:\Documents and Settings\Martin Meyer\Desktop>nslookup
*** Can't find server name for address 192.168.0.1: Non-existent domain
*** Default servers are not available
Default Server:  UnKnown
Address:  192.168.0.1

> cgi2.ebay.com
Server:  UnKnown
Address:  192.168.0.1

Non-authoritative answer:
Name:    cgi2.ebay.com
Addresses:  66.135.194.30, 66.135.210.28, 66.135.210.30, 66.135.194.28

> exit

C:\Documents and Settings\Martin Meyer\Desktop>ping cgi2.ebay.com
Ping request could not find host cgi2.ebay.com. Please check the name and try ag
ain.

-- END SCRIPT --

Comment 10

14 years ago
It's probably a problem specific to your network. For example, if (unlikely) you
depend on ICMP redirects to reach your nameserver, blocking them will stop
lookups from working.

There can be many issues with blocking ICMP packets, like MTU problems and, etc.
etc. I suggest you run Ethereal and see why these ICMP packets are being
generated. I can help you with this if you like.

Resolving INVALID since it's not a bug in mozilla.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.