Jump to content
Not connected, Your IP: 3.16.76.102
Sign in to follow this  
dogeyes7

Comodo and dns

Recommended Posts

Hi..

I'm having another bash at setting up comodo to fix the dns issue,the 2 things that are puzzling me most is how to determine or create the network zone of your tap win 32 network adaptor and also how to add airvpn to my host file(I'm on win7)

I've setup all the global rule stuff and I think I will finally get my head around the router dns/dhcp stuff,it's the network zone thing that's stumping me...

I will be using the air client,I think I know how to do rule 13 on the sticky..

Thanks all for your patience,I know this question must be grating on the people who are experts on this kinda stuff,but I guess if you don't ask you don't get:.)

Cheers D

Share this post


Link to post

Hi..

I'm having another bash at setting up comodo to fix the dns issue,the 2 things that are puzzling me most is how to determine or create the network zone of your tap win 32 network adaptor and also how to add airvpn to my host file(I'm on win7)

Hello!

You can safely define that network zone with the following IP range: [10.4.0.0 - 10.9.255.255]. Please note that this is an IP range, not an IP/NetMask. You can discern in Comodo an IP range from an IP/NetMask: the first has the "-" symbol, the latter the "/" symbol, according to CIDR notation.

Please see here if you're curious:

https://airvpn.org/specs

About the hosts file: launch a text editor (for example NotePad) with administrator privileges. Open the hosts file and add the following line:

85.17.207.151 airvpn.org

Save the file and quit the text editor.

The name of the file is simply "hosts" and the path to it is (on a default Win7 installation):

C:\Windows\system32\drivers\etc

Please do not hesitate to contact us for any information or further support.

Kind regards

Share this post


Link to post

I'm defeated,just can't get it to work,nevermind,at least I've still got my good old faithful dns leak free Linux setup lol.

Cheers D

Share this post


Link to post

In Comodo, the Network Zones are defined under Comodo Firewall -> Network Security Policy -> Network Zones. Once you have this window open, click on Add -> a new Network Zone. Then you will be prompted to input a name for the zone. You can type AirVPN, for example. Then the zone "AirVPN" will appear in the list of network zones. Below it will be an entry reading "(add addresses here)". Right-click on that entry and choose "Add...", then select "IPv4 Address Range", and then you can enter the "Start IP" and the "End IP". If the zone is for AirVPN, then type 10.4.0.0 as the start IP, and 10.9.255.255 as the end IP.

In the Global Rules, you can then choose this Zone when defining where a Rule should apply. Actually you said in an earlier post that you already defined the correct Global Rules without having defined the Network Zones before. This is strange, since then you won't be able to select the appropriate Zone when defining a global rule.

Share this post


Link to post

Hi,

On rule 11 It says that if my router acts as a DNS server, performs DHCP DNS push and your physical network is configured to accept the DNS push from the router, in order to prevent any DNS leak replace the above rule with: and the bit I'm stuck with is the destination port not 53,so what do I put here...I guess any would be wrong,there's also port range,a set of ports or a single port.

I really thought I'd got this beat today,I managed to set everything up as listed,but when I connected to airvpn client it connected ok but my ip was visible and also dns leaking,hence I guess I need to try the extra step in rule 11.

To be honest I have no idea weather my router is as described above.

I'm so close to getting this fixed...

Cheers D

Share this post


Link to post

Hi,

On rule 11 It says that if my router acts as a DNS server, performs DHCP DNS push and your physical network is configured to accept the DNS push from the router, in order to prevent any DNS leak replace the above rule with: and the bit I'm stuck with is the destination port not 53,so what do I put here...I guess any would be wrong,there's also port range,a set of ports or a single port.

I really thought I'd got this beat today,I managed to set everything up as listed,but when I connected to airvpn client it connected ok but my ip was visible and also dns leaking,hence I guess I need to try the extra step in rule 11.

To be honest I have no idea weather my router is as described above.

I'm so close to getting this fixed...

Cheers D

Hello!

When you define that rule, in the "Destination Port" tab of the Network Control Rule just select "A Single Port", specify 53, and tick the "Exclude" box (i.e. the "NOT" Comodo operator).

Please note that your real IP address must NOT be visible, regardless of Comodo usage or not, when you're connected to a VPN server. Please send us your client logs if you have this problem.

Kind regards

Share this post


Link to post

Hi,

Regarding my ip address being visible,it was a mistake on my behalf with one of the rules I set,I tweaked it and my ip address is now hidden,but the Dns leak issue I've been suffering was still present.

Yesterday evening though I found a solution to my long standing dns leak problem thank goodness?...

I'll just run it by you to see what you think,but it has stopped all my dns leaking..

I'd setup up the The windows/comodo rules as instructed,but no success,so I then did this rule as instructed if the above rules weren't working 11a) If your router acts as a DHCP server, allow DHCP "negotiation":

Allow IP In/Out From MAC Any To IP 255.255.255.255 Where Protocol Is Any.

Again no success,my ip address was hidden,but I was still leaking dns.

So I went to start on my comp,typed in cmd to open a terminal,I typed in ipconfig/all and had a look at the various stats etc etc..

There was a single ip address line belonging to my dhcp server,so I noted it down.

I then opened comodo,network Security policy and then clicked blocked zones.

I then clicked add,and then add a single address,I proceeded to add the dhcp address I'd noted down earlier from the terminal,I saved and exited comodo.

I then opened air,through the client which I prefer over the openVPN GUI,and went to dnsleaktest.com...no leaks reported,brilliant.

I tested it for an hour or so but every visit to dnsleaktest.com was reporting no leaks.

Just to confirm I then removed the rule in the block zone I'd setup and reconnected to airvpn,made my way to dnsleaktest.com and BANG I was leaking dns again.

Obviously setting this rule has one minor downside,when I disconnect from airvpn I cannot access the Internet until I remove the rule in the block zone,but to be perfectly honest it takes less then a minute to switch between airvpn/removing the rule/then connecting to the Internet through my own ISP..and vice versa when I want to connect to airvpn,just add the rule in the block zone.

Just wondering is this method Im using ok/safe/secure? Would like your opinion on it please.

Also maybe this could help someone else who's having similar problems to myself.

It certainly seems that it's a DHCP issue that's causing my leaks.

One more thing on a diffrent issue,as stated above I prefer to use the airvpn client when connecting to airvpn,One of the things you say we should do is: 12) In order to allow "airvpn.org" resolution even when disconnected (and any other hostname you wish to be resolved even when VPN is disconnected), add to your hosts file the line 85.17.207.151 airvpn.org.

Could you just explain why this needs to be done,is it optinal or a must do,if I want to use the client,always thought interfering with the host file was dangerous,but hey I'm a novice so always willing to learn

Share this post


Link to post

Hi,Just wondering is this method Im using ok/safe/secure? Would like your opinion on it please.

Hello!

You have probably blocked communications with your DHCP server. If so, this method has another significant side effect besides the ones you noticed, which may be good or annoying according to your tastes, that is your computer will not be able to get any connectivity at the boot (it will not even be able to connect to your router), because it can't communicate with any DHCP server.

If you don't like this, you can anyway set a suitable static IP address for your computer network adapter. Make sure that you pick it inside your home net IP range and that it does not overlap with any other address in the network.

Generally speaking, be aware that this method does not necessarily prevent DNS leaks, so if you set a static IP and static DNS servers to render DHCP pushes superfluous, re-check carefully for these leaks while you're connected to the VPN.

One more thing on a diffrent issue,as stated above I prefer to use the airvpn client when connecting to airvpn,One of the things you say we should do is: 12) In order to allow "airvpn.org" resolution even when disconnected (and any other hostname you wish to be resolved even when VPN is disconnected), add to your hosts file the line 85.17.207.151 airvpn.org.

Could you just explain why this needs to be done,is it optinal or a must do,if I want to use the client,always thought interfering with the host file was dangerous,but hey I'm a novice so always willing to learn

Yes, it is necessary because the Air client needs to resolve airvpn.org in order to handle the login, display the list of servers and download files before giving control to OpenVPN. But with the recommended Comodo rules we have blocked DNS queries outside the tunnel. And the tunnel is not yet existing. So we need to allow "airvpn.org" resolution internally, that is exactly the purpose of the hosts file on any system.

Playing with the hosts file is not dangerous, as long as you know what you're doing. On the contrary it becomes an extremely dangerous issue if some malware is playing with your hosts file, because it can hijack your connections (you type a hostname, you think you are accessing a certain service or website, while in reality you're on a fake one). So having a look at the hosts file after all is beneficial, not dangerous.

Kind regards

Share this post


Link to post

Thanks for your thoughts on this method...

You say:::You have probably blocked communications with your DHCP server. If so, this method has another significant side effect besides the ones you noticed, which may be good or annoying according to your tastes, that is your computer will not be able to get any connectivity at the boot (it will not even be able to connect to your router), because it can't communicate with any DHCP server...

But if I remove the rule from the block zone before I switch of my computer then connectivity will be fine when I reboot my computer wouldn't it?.

Also you say:::If you don't like this, you can anyway set a suitable static IP address for your computer network adapter. Make sure that you pick it inside your home net IP range and that it does not overlap with any other address in the network...

And then you add:::Generally speaking, be aware that this method does not necessarily prevent DNS leaks, so if you set a static IP and static DNS servers to render DHCP pushes superfluous, re-check carefully for these leaks while you're connected to the VPN...

Can I just confirm with you though that if I stick with my original method of adding the dhcp address to the block zone there would be NO chance of any dns leaks whilst using airvpn?

Also thanks for your detailed explanation on the host file,much appreciated.

I'm going to be doing a full reinstall of windows later,so I can set everything up fresh,I'm obviously going to be installing comodo firewall,is there any chance you could recommend a decent free/paid for Antivirus to complete my comps protection,I'd really appreciate it.

Thanks for providing a great service this support forum is fantastic

Cheers D

Share this post


Link to post

Thanks for your thoughts on this method...

But if I remove the rule from the block zone before I switch of my computer then connectivity will be fine when I reboot my computer wouldn't it?.

Hello!

Yes, of course.

In case of problems, you can also rely on switching Comodo back to "Safe Mode" or disable it completely. Also, the Firewall Event Logs are very useful for troubleshooting, in order to check whether Comodo is blocking something that you meant not to be blocked (just enable the logging for every block rule).

And then you add:::Generally speaking, be aware that this method does not necessarily prevent DNS leaks, so if you set a static IP and static DNS servers to render DHCP pushes superfluous, re-check carefully for these leaks while you're connected to the VPN...

Can I just confirm with you though that if I stick with my original method of adding the dhcp address to the block zone there would be NO chance of any dns leaks whilst using airvpn?

If your DHCP server IP address coincides with all the DNS IP addresses configured/pushed for your computer physical network card(s) (you should check this both for primary and secondary DNS) and your DHCP server is your router then your computer will suffer no DNS leaks.

I'm going to be doing a full reinstall of windows later,so I can set everything up fresh,I'm obviously going to be installing comodo firewall,is there any chance you could recommend a decent free/paid for Antivirus to complete my comps protection,I'd really appreciate it.

 

We're sorry, we're not in the position to suggest an antivirus. The first thing you should check is the compatibility of an antivirus with Comodo. Some antivirus for Windows come in suites which might conflict with Comodo Defense+ and/or firewall. According to our experience we highly recommend both Comodo Firewall and Comodo Defense+ so it may be desirable to pick an antivirus that runs nicely with them. Comodo lets you run programs in a sandbox and Defense+ set to "Paranoid Mode" is a good defense for a Windows system. Comodo Antivirus obviously does not conflict, but we don't know anything about its effectiveness.

Thanks for providing a great service this support forum is fantastic

Cheers D

Thank you! This forum is getting more and more interesting thanks to a fantastic community.

Kind regards

Share this post


Link to post

Hi just a quick question,

Do the rules that you apply in comodo after the total global block rule have to be in any particular order,or can you just put them anywhere,as long as there before the global block rule?

Let's say within the global rule whitelist you have: Allow IP In/Out From In [AirVPN] To MAC Any Where Protocol Is Any

And then the next part to that rule :Allow IP In/Out From MAC Any To In [AirVPN] Where Protocol Is Any is separated by other rules you have created,would it make any difference?

Cheers D

Share this post


Link to post

Hi just a quick question,

Do the rules that you apply in comodo after the total global block rule have to be in any particular order,or can you just put them anywhere,as long as there before the global block rule?

Hello!

You can put them anywhere as long as they are above the block rule, as you correctly write, because Comodo (like many other firewalls) evaluates rules from top to bottom.

Kind regards

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...