搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Why is Firefox 36 on Windows receiving connections from DNS servers? Option network.dns.get-ttl

  • 1 个回答
  • 3 人有此问题
  • 16 次查看
  • 最后回复者为 jayelbe

more options

Subsequent to updating to Firefox 36, my firewall has been inundating me with requests to allow external connections from the Internet to my browser. Looking into this in more detail, Comodo Firewall is indicating that external Internet sites are trying to connect to Firefox, from port 53 to an arbitrary port on my machine.

If I disable the new FF36 option network.dns.get-ttl, this stops. I can't find any documentation or help on this option.

Why is Firefox doing this? Is Comodo incorrect when it labels this as an external attempt to connect? (It's normally been extremely good at differentiating between inbound & outbound traffic). I'm assuming that Firefox is trying to determine TTL for DNS caching, but it doesn't make sense why DNS servers are then trying to connect back to me.

I'm loathe to create a firewall rule that states arbitrary connections from the Internet to my machine are OK as long as they originated on port 53, so advice on how to manage whatever this new feature is securely would be appreciated.

Thanks in advance for any assistance.

Subsequent to updating to Firefox 36, my firewall has been inundating me with requests to allow external connections from the Internet to my browser. Looking into this in more detail, Comodo Firewall is indicating that external Internet sites are trying to connect to Firefox, from port 53 to an arbitrary port on my machine. If I disable the new FF36 option network.dns.get-ttl, this stops. I can't find any documentation or help on this option. Why is Firefox doing this? Is Comodo incorrect when it labels this as an external attempt to connect? (It's normally been extremely good at differentiating between inbound & outbound traffic). I'm assuming that Firefox is trying to determine TTL for DNS caching, but it doesn't make sense why DNS servers are then trying to connect back to me. I'm loathe to create a firewall rule that states arbitrary connections from the Internet to my machine are OK as long as they originated on port 53, so advice on how to manage whatever this new feature is securely would be appreciated. Thanks in advance for any assistance.

被采纳的解决方案

Hi grammarye,

Yep, you're right in thinking that Firefox is attempting to look up the TTL. This is new behaviour in Firefox 36 and was introduced because services with frequently changing DNS records (like Cloudflare) weren't working correctly for Firefox users.

Firefox makes asynchronous DNS lookups - meaning it will make a DNS request and then proceed to do other work instead of waiting for a response.

Your ISP's DNS server will only cache a domain's TTL for a short time, so if it doesn't have the current TTL, it will query with other DNS servers to find it.

IANAE, but presumably what's happening is thus:

  1. Firefox attempts to lookup the DNS record for the domain you wish to connect to
  2. Your ISP's DNS server doesn't have the current TTL, so connects with other DNS servers to find it
  3. During the delay, Firefox busies itself with something else
  4. DNS server then reconnects to give you the full DNS record, including TTL
  5. Comodo sees the packets from the DNS server and panics

I completely agree that whitelisting arbitrary ports is a bad idea, but in this case the behaviour is completely innocuous.

You may wish to whitelist Firefox in your Comodo firewall, or continue to leave network.dns.get-ttl disabled.

(edited to fix broken links and add a sentence)

定位到答案原位置 👍 0

所有回复 (1)

more options

选择的解决方案

Hi grammarye,

Yep, you're right in thinking that Firefox is attempting to look up the TTL. This is new behaviour in Firefox 36 and was introduced because services with frequently changing DNS records (like Cloudflare) weren't working correctly for Firefox users.

Firefox makes asynchronous DNS lookups - meaning it will make a DNS request and then proceed to do other work instead of waiting for a response.

Your ISP's DNS server will only cache a domain's TTL for a short time, so if it doesn't have the current TTL, it will query with other DNS servers to find it.

IANAE, but presumably what's happening is thus:

  1. Firefox attempts to lookup the DNS record for the domain you wish to connect to
  2. Your ISP's DNS server doesn't have the current TTL, so connects with other DNS servers to find it
  3. During the delay, Firefox busies itself with something else
  4. DNS server then reconnects to give you the full DNS record, including TTL
  5. Comodo sees the packets from the DNS server and panics

I completely agree that whitelisting arbitrary ports is a bad idea, but in this case the behaviour is completely innocuous.

You may wish to whitelist Firefox in your Comodo firewall, or continue to leave network.dns.get-ttl disabled.

(edited to fix broken links and add a sentence)

由jayelbe于修改