Stop exe from accessing internet - firewall blocks but DNS request is being made

rd1218

2/27/24, 1:59 AM

We purchased this software a few years ago, we use it locally only. After some update this software received the function to save user files on their cloud. For security purposes we would like to keep things running locally only.

The point is this software check if the computer has internet and, if positive, present a initial "create account / login" window. We would like to stop this behaviour. If we disconnect the cable/wi-fi then the window is not shown.

I've tried to create a firewall policy to block this software. Our firewall (Bitdefender) show that its connection was blocked, but that initial window still appears.

Microsoft Network Monitor 3.4 shows a DNS query from unknown to what appears to be this software login page or similar. The DNS reply was success, which seems to be the reason why that initial window is still there.

Microsoft Network Monitor 3.4 also shows several other DNS queries (not related to this software) also coming from the same unknown application, which seems to be the user computer regular usage.

So, what should I try? Is it a firewall bug? What is this unknown application being captured?

Sorry if Stack Exchange is not the correct place to this question, I will gladly move it somewhere else if needed.

0 + 6

domain-name-system

firewall

Greg Askew

2/27/24, 2:10 AM

Why not sinkhole the domain(s) in DNS?

rd1218

2/27/24, 2:24 AM

This is a software that our team regularly use, therefore a request or contact may be needed in anytime

Greg Askew

2/27/24, 3:07 AM

This is definitely *not* a "firewall bug". The application does not query DNS directly, it uses the operating system for that. If you want to control the behavior of the application, engage the vendor.

rd1218

3/1/24, 3:13 PM

@GregAskew So, should any application be allowed to query DNS, directly or not, when they are blocked via firewall? I though in such cases this query would always be forbidden since it potentially poses a threat

Greg Askew

3/1/24, 6:01 PM

`I though in such cases this query would always be forbidden since it potentially poses a threat`. I can't think of any organizations that block DNS for the average Windows endpoint. This is particularly true for remote users. On the other hand, a lot of organizations do have security solutions that examine and block potentially hostile DNS requests. Attributing DNS requests on Windows isn't a new concept or request. Other firewall vendors have tried it, with predictable results. https://safing.io/blog/2021/03/23/attributing-dns-requests-on-windows/

rd1218

3/1/24, 9:56 PM

Thanks for the link. I now understand that ```dnsapi.dll``` is loaded into the application (causing the ```unknown``` application I mentioned) and its DNS request is not being totally seen. As the article mentions, this was also their problem and they addressed it even though they already see more problems in the near future (TLS 1.3). Anyway, do you think I should consider replace ```Bitdefender``` firewall with ```Portmaster``` firewall you mentioned?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Stop exe from accessing internet - firewall blocks but DNS request is being made

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.