Results 1 to 4 of 4

Thread: ZoneAlarm ISS blocks DNS queries over IPv6

Hybrid View

  1. #1
    Join Date
    Oct 2013
    Posts
    2

    Angry ZoneAlarm ISS blocks DNS queries over IPv6

    Summary: ZoneAlarm Internet Security Suite 11.0.780.0 blocks DNS outbound clients ("nslookup", "dig", etc.) requests to a DNS Server (when using an IPv6 address for the server), causing failure of DNS name server lookups.
    When I completely uninstall ZoneAlarm ISS, the DNS queries over IPv6 start working properly.
    This problem occurs both when all ZA ISS subsystems are "ON", or when
    - Advanced Firewall is "OFF", and
    - Antivirus & Anti-spyware is "OFF", and
    - Application Control is "OFF".
    This causes severe problems when my ISP sends the IPv6 addresses for their DNS servers via DHCP.
    When I use IPv4 server addresses, everything works properly with and without ZA ISS.
    Other virtual and physical machines on this network (which do not have ZoneAlarm ISS) are behaving properly.
    I tried many different approaches to get this to work, none suceeded.
    I used Microsoft Network Monitor 3.4 to watch the IP traffic. With ZA ISS installed, I see no DNS Query packet from my PC. With ZA ISS uninstalled, I see the correct packets.
    =============
    == DETAILS:
    =============
    Machine: Window 7 Ultimate x64 SP1

    ZoneAlarm Security Suite version: 11.0.780.000
    ZoneAlarm license key: XXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Vsmon version: 11.0.780.000
    Driver version: 11.0.764.000
    Antivirus engine version: 8.3.1.6
    Antivirus signature DAT file version: 1129209376
    AntiSpam version: 6.3.1.4973
    Network configuration: PC Ethernet NIC -> Ethernet cable -> Router/Switch -> Cable Modem -> ISP
    IPv6 Dual stack is configured on my Windows PC, my network routers, and my ISP (Comcast). Both IPv6 and IPv4 traffic flows properly.
    ===================
    Firewall Settings -> Advanced -> Network setting, Enable IPv6 networking is checked
    This occurs even when ZA ISS has
    C:\Users\Peter\Documents\vendors\ISC\BIND9.8.6>pin g -6 2001:558:feed::1
    Pinging 2001:558:feed::1 with 32 bytes of data:
    Reply from 2001:558:feed::1: time=18ms
    Reply from 2001:558:feed::1: time=14ms
    Reply from 2001:558:feed::1: time=15ms
    Reply from 2001:558:feed::1: time=13ms
    Ping statistics for 2001:558:feed::1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 13ms, Maximum = 18ms, Average = 15ms
    C:\Users\Peter\Documents\vendors\ISC\BIND9.8.6>


    ==========================
    == EXAMPLE 1: test using "nslookup"
    ==========================
    C:\Users\Peter>nslookup
    Default Server: cdns01.comcast.net
    Address: 75.75.75.75
    > www.google.com
    Server: cdns01.comcast.net
    Address: 75.75.75.75
    Non-authoritative answer:
    Name: www.google.com
    Addresses: 2607:f8b0:400f:801::1013
    74.125.225.209
    74.125.225.211
    74.125.225.208
    74.125.225.210
    74.125.225.212
    > cdns01.comcast.net
    Server: cdns01.comcast.net
    Address: 75.75.75.75
    Non-authoritative answer:
    Name: cdns01.comcast.net
    Addresses: 2001:558:feed::1
    75.75.75.75
    > cdns02.comcast.net
    Server: cdns01.comcast.net
    Address: 75.75.75.75
    Non-authoritative answer:
    Name: cdns02.comcast.net
    Addresses: 2001:558:feed::2
    75.75.76.76
    > server 75.75.76.76
    Default Server: cdns02.comcast.net
    Address: 75.75.76.76
    > www.google.com
    Server: cdns02.comcast.net
    Address: 75.75.76.76
    Non-authoritative answer:
    Name: www.google.com
    Addresses: 2607:f8b0:4002:c04::63
    208.117.232.119
    208.117.232.117
    208.117.232.116
    208.117.232.123
    208.117.232.122
    208.117.232.121
    208.117.232.118
    208.117.232.120
    > server 2001:558:feed::1
    Default Server: cdns01.comcast.net
    Address: 2001:558:feed::1
    > www.google.com
    Server: cdns01.comcast.net
    Address: 2001:558:feed::1
    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    *** Request to cdns01.comcast.net timed-out
    > exit
    ======================
    == EXAMPLE 2: Test using "dig"
    ======================
    C:\Users\Peter\Documents\vendors\ISC\BIND9.8.6>dig AAAA cdns02.comcast.net @75.75.75.75
    ; <<>> DiG 9.8.6 <<>> AAAA cdns02.comcast.net @75.75.75.75
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3203
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;cdns02.comcast.net. IN AAAA
    ;; ANSWER SECTION:
    cdns02.comcast.net. 476 IN AAAA 2001:558:feed::2
    ;; Query time: 17 msec
    ;; SERVER: 75.75.75.75#53(75.75.75.75)
    ;; WHEN: Mon Oct 14 15:11:04 Mountain Daylight Time 2013
    ;; MSG SIZE rcvd: 64

    C:\Users\Peter\Documents\vendors\ISC\BIND9.8.6>dig AAAA cdns02.comcast.net @2001:558:feed::1
    ; <<>> DiG 9.8.6 <<>> AAAA cdns02.comcast.net @2001:558:feed::1
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    C:\Users\Peter\Documents\vendors\ISC\BIND9.8.6>
    ===========================
    == Additional information
    ===========================
    C:\Users\Peter\Documents\vendors\ISC\BIND9.8.6>ipc onfig /all
    Windows IP Configuration
    Host Name . . . . . . . . . . . . : Sun
    Primary Dns Suffix . . . . . . . :
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : hsd1.co.comcast.net.
    Wireless LAN adapter Wireless Network Connection:
    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Belkin Wireless Adapter
    Physical Address. . . . . . . . . : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    Ethernet adapter Local Area Connection:
    Connection-specific DNS Suffix . : hsd1.co.comcast.net.
    Description . . . . . . . . . . . : Intel(R) 82567V-2 Gigabit Network Connection
    Physical Address. . . . . . . . . : XXXXXXXXXXXXXXXXXXXX
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IPv6 Address. . . . . . . . . . . : 2601:XXXXXXXXXXXXXXXXXXXXXXXX(Preferred)
    Link-local IPv6 Address . . . . . : fe80::XXXXXXXXXXXXXX%10(Preferred)
    IPv4 Address. . . . . . . . . . . : 192.168.1.134(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Lease Obtained. . . . . . . . . . : Monday, October 14, 2013 11:14:01 AM
    Lease Expires . . . . . . . . . . : Tuesday, October 15, 2013 11:14:01 AM
    Default Gateway . . . . . . . . . : fe80::XXXXXXXXXXXXXXXX%10
    192.168.1.1
    DHCP Server . . . . . . . . . . . : 192.168.1.1
    DHCPv6 IAID . . . . . . . . . . . : 167781912
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-41-A0-1B-00-26-18-F8-11-A6
    DNS Servers . . . . . . . . . . . : 75.75.75.75
    75.75.76.76
    192.168.1.1
    NetBIOS over Tcpip. . . . . . . . : Disabled
    Ethernet adapter VirtualBox Host-Only Network:
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : VirtualBox Host-Only Ethernet Adapter
    Physical Address. . . . . . . . . : 08-00-27-00-50-71
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::a00:27ff:fe00:5071%17(Preferred)
    IPv4 Address. . . . . . . . . . . : 192.168.56.1(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :
    DHCPv6 IAID . . . . . . . . . . . : 336068647
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-41-A0-1B-00-26-18-F8-11-A6
    DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
    fec0:0:0:ffff::2%1
    fec0:0:0:ffff::3%1
    NetBIOS over Tcpip. . . . . . . . : Disabled
    Tunnel adapter isatap.{9F549F1C-82D2-43DD-9416-51B4724E8A04}:
    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter isatap.{BF2E92EA-4A7F-4E03-9EC8-7DCFF826DDFD}:
    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter isatap.hsd1.co.comcast.net.:
    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . : hsd1.co.comcast.net.
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    C:\Users\Peter\Documents\vendors\ISC\BIND9.8.6>

  2. #2
    Join Date
    Jun 2006
    Location
    The 3rd Coast - South Central Texas
    Posts
    10,473

    Smile Re: ZoneAlarm ISS blocks DNS queries over IPv6

    Hello;

    Here are several Solutions to your IPV6 issue that I found using the ZA Forum Search feature:

    1.)How to create IPV6 Rules

    https://www.zonealarm.com/forums/sho...highlight=IPV6


    2.) with a Valid ZA License key, you can contact the Official Support "LIVE CHAT" free of charge:
    Please report your findings to support. More reports more likely they will manage to find a pattern/origin to the problem. Support may ask to perform several steps. This is part of the troubleshooting before the issue is escalated to support and to clearly distinguish local issue from global ones.

    3.) Here is a possible solution to speed up the time it may take to find a fix for your IPV6 issue..

    Users need to participate and test the 2014 Beta 3 - 12.0.020.000 Available now and use the FEEDBACK option in the Beta to report issues directly to Development Team so things have a Greater chance of being fixed in the 2014 version.

    https://www.zonealarm.com/security/e...eta-center.htm <= click here

    Last edited by GeorgeV; October 14th, 2013 at 07:11 PM.
    GeorgeV
    ZoneAlarm Extreme Security


    Click here for ZA Support
    Monday-Saturday__ 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    Join Date
    Oct 2013
    Posts
    2

    Default Re: ZoneAlarm ISS blocks DNS queries over IPv6

    GeorgeV, Thanks for the information. Unfortunately ZA ISS blocks SOME of the IPv6 traffic even when I have configured it to allow all IPv6 traffic. According to the on-line documents (including the forum threads you mentioned), ZA ISS should either allow all IPv6 or disallow all IPv6 traffic. It doesn't work. It is a bug. I tried the Beta v12, it didn't solve the problem. I has already submitted a feedback form to the Beta v12 team. when I used CHAT, (twice), the support team had no solution, but suggested trying the Beta v12. They said that they have no way of submitting any kind of bug. That's extremely unfortunate.

  4. #4
    Join Date
    Dec 2002
    Location
    San Carlos, California
    Posts
    1,641

    Default Re: ZoneAlarm ISS blocks DNS queries over IPv6

    Quote Originally Posted by pmadland View Post
    GeorgeV, Thanks for the information. Unfortunately ZA ISS blocks SOME of the IPv6 traffic even when I have configured it to allow all IPv6 traffic. According to the on-line documents (including the forum threads you mentioned), ZA ISS should either allow all IPv6 or disallow all IPv6 traffic. It doesn't work. It is a bug. I tried the Beta v12, it didn't solve the problem. I has already submitted a feedback form to the Beta v12 team. when I used CHAT, (twice), the support team had no solution, but suggested trying the Beta v12. They said that they have no way of submitting any kind of bug. That's extremely unfortunate.
    PMADLAND,

    Hello,

    This issue has been logged with development. Please check your email.
    Click here for ZA Support
    Monday-Saturday__ 6am to 10pm Central time
    Closed Sundays and Holidays

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. World IPv6 rapidly approaching, ZA free still blocking IPv6
    By nkolvek in forum ZoneAlarm Free Firewall
    Replies: 2
    Last Post: May 11th, 2011, 01:04 PM
  2. ZA Free 9.1 blocks IPv6
    By silvrdrgn in forum Access Issues
    Replies: 2
    Last Post: April 14th, 2010, 08:13 PM
  3. Are Zonealarm 9 Series IPv6 compatible?
    By eyesineyes in forum General - Questions that don't fit any other category
    Replies: 7
    Last Post: September 19th, 2009, 05:15 AM
  4. ZoneAlarm Security Suite - Anti-Virus Queries
    By ferraritm in forum ZoneAlarm Anti-virus & Anti-spyware
    Replies: 1
    Last Post: January 31st, 2009, 07:13 AM
  5. Zonealarm Disabling IPv6?
    By jpo in forum Access Issues
    Replies: 0
    Last Post: November 12th, 2008, 10:04 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •