Summary: ZoneAlarm Internet Security Suite 11.0.780.0 blocks DNS outbound clients ("nslookup", "dig", etc.) requests to a DNS Server (when using an IPv6 address for the server), causing failure of DNS name server lookups.
When I completely uninstall ZoneAlarm ISS, the DNS queries over IPv6 start working properly.
This problem occurs both when all ZA ISS subsystems are "ON", or when
- Advanced Firewall is "OFF", and
- Antivirus & Anti-spyware is "OFF", and
- Application Control is "OFF".
This causes severe problems when my ISP sends the IPv6 addresses for their DNS servers via DHCP.
When I use IPv4 server addresses, everything works properly with and without ZA ISS.
Other virtual and physical machines on this network (which do not have ZoneAlarm ISS) are behaving properly.
I tried many different approaches to get this to work, none suceeded.
I used Microsoft Network Monitor 3.4 to watch the IP traffic. With ZA ISS installed, I see no DNS Query packet from my PC. With ZA ISS uninstalled, I see the correct packets.
=============
== DETAILS:
=============
Machine: Window 7 Ultimate x64 SP1

ZoneAlarm Security Suite version: 11.0.780.000
ZoneAlarm license key: XXXXXXXXXXXXXXXXXXXXXXXXXXXX
Vsmon version: 11.0.780.000
Driver version: 11.0.764.000
Antivirus engine version: 8.3.1.6
Antivirus signature DAT file version: 1129209376
AntiSpam version: 6.3.1.4973
Network configuration: PC Ethernet NIC -> Ethernet cable -> Router/Switch -> Cable Modem -> ISP
IPv6 Dual stack is configured on my Windows PC, my network routers, and my ISP (Comcast). Both IPv6 and IPv4 traffic flows properly.
===================
Firewall Settings -> Advanced -> Network setting, Enable IPv6 networking is checked
This occurs even when ZA ISS has
C:\Users\Peter\Documents\vendors\ISC\BIND9.8.6>pin g -6 2001:558:feed::1
Pinging 2001:558:feed::1 with 32 bytes of data:
Reply from 2001:558:feed::1: time=18ms
Reply from 2001:558:feed::1: time=14ms
Reply from 2001:558:feed::1: time=15ms
Reply from 2001:558:feed::1: time=13ms
Ping statistics for 2001:558:feed::1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 13ms, Maximum = 18ms, Average = 15ms
C:\Users\Peter\Documents\vendors\ISC\BIND9.8.6>


==========================
== EXAMPLE 1: test using "nslookup"
==========================
C:\Users\Peter>nslookup
Default Server: cdns01.comcast.net
Address: 75.75.75.75
> www.google.com
Server: cdns01.comcast.net
Address: 75.75.75.75
Non-authoritative answer:
Name: www.google.com
Addresses: 2607:f8b0:400f:801::1013
74.125.225.209
74.125.225.211
74.125.225.208
74.125.225.210
74.125.225.212
> cdns01.comcast.net
Server: cdns01.comcast.net
Address: 75.75.75.75
Non-authoritative answer:
Name: cdns01.comcast.net
Addresses: 2001:558:feed::1
75.75.75.75
> cdns02.comcast.net
Server: cdns01.comcast.net
Address: 75.75.75.75
Non-authoritative answer:
Name: cdns02.comcast.net
Addresses: 2001:558:feed::2
75.75.76.76
> server 75.75.76.76
Default Server: cdns02.comcast.net
Address: 75.75.76.76
> www.google.com
Server: cdns02.comcast.net
Address: 75.75.76.76
Non-authoritative answer:
Name: www.google.com
Addresses: 2607:f8b0:4002:c04::63
208.117.232.119
208.117.232.117
208.117.232.116
208.117.232.123
208.117.232.122
208.117.232.121
208.117.232.118
208.117.232.120
> server 2001:558:feed::1
Default Server: cdns01.comcast.net
Address: 2001:558:feed::1
> www.google.com
Server: cdns01.comcast.net
Address: 2001:558:feed::1
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to cdns01.comcast.net timed-out
> exit
======================
== EXAMPLE 2: Test using "dig"
======================
C:\Users\Peter\Documents\vendors\ISC\BIND9.8.6>dig AAAA cdns02.comcast.net @75.75.75.75
; <<>> DiG 9.8.6 <<>> AAAA cdns02.comcast.net @75.75.75.75
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3203
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;cdns02.comcast.net. IN AAAA
;; ANSWER SECTION:
cdns02.comcast.net. 476 IN AAAA 2001:558:feed::2
;; Query time: 17 msec
;; SERVER: 75.75.75.75#53(75.75.75.75)
;; WHEN: Mon Oct 14 15:11:04 Mountain Daylight Time 2013
;; MSG SIZE rcvd: 64

C:\Users\Peter\Documents\vendors\ISC\BIND9.8.6>dig AAAA cdns02.comcast.net @2001:558:feed::1
; <<>> DiG 9.8.6 <<>> AAAA cdns02.comcast.net @2001:558:feed::1
;; global options: +cmd
;; connection timed out; no servers could be reached
C:\Users\Peter\Documents\vendors\ISC\BIND9.8.6>
===========================
== Additional information
===========================
C:\Users\Peter\Documents\vendors\ISC\BIND9.8.6>ipc onfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : Sun
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hsd1.co.comcast.net.
Wireless LAN adapter Wireless Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Belkin Wireless Adapter
Physical Address. . . . . . . . . : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : hsd1.co.comcast.net.
Description . . . . . . . . . . . : Intel(R) 82567V-2 Gigabit Network Connection
Physical Address. . . . . . . . . : XXXXXXXXXXXXXXXXXXXX
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2601:XXXXXXXXXXXXXXXXXXXXXXXX(Preferred)
Link-local IPv6 Address . . . . . : fe80::XXXXXXXXXXXXXX%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.134(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, October 14, 2013 11:14:01 AM
Lease Expires . . . . . . . . . . : Tuesday, October 15, 2013 11:14:01 AM
Default Gateway . . . . . . . . . : fe80::XXXXXXXXXXXXXXXX%10
192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 167781912
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-41-A0-1B-00-26-18-F8-11-A6
DNS Servers . . . . . . . . . . . : 75.75.75.75
75.75.76.76
192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter VirtualBox Host-Only Network:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VirtualBox Host-Only Ethernet Adapter
Physical Address. . . . . . . . . : 08-00-27-00-50-71
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::a00:27ff:fe00:5071%17(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.56.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 336068647
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-41-A0-1B-00-26-18-F8-11-A6
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter isatap.{9F549F1C-82D2-43DD-9416-51B4724E8A04}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{BF2E92EA-4A7F-4E03-9EC8-7DCFF826DDFD}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.hsd1.co.comcast.net.:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : hsd1.co.comcast.net.
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\Peter\Documents\vendors\ISC\BIND9.8.6>