Java app spuriously opening ports

[Twisted]

A Java app that uses only HTTPUrlConnections to access the net keeps
generating prompts from my firewall app that it wants to act as a
server -- apparently, a DNS server. This is rather strange. Why is it
attempting to open ports, when it's supposed to only retrieve Web links
now and again?

 

[Thomas Fritsch]

A Java app that uses only HTTPUrlConnections to access the net keeps
generating prompts from my firewall app that it wants to act as a
server -- apparently, a DNS server. This is rather strange.

Indeed! Wanting to *act* *as* a DNS server would be strange for a Java app.

But *contacting* *to* a DNS server would be very common for your app.
This is the natural way to translate for example "www.google.com" to
something like "11.22.33.44".

 

[Twisted]

Eh -- my browser doesn't try to open listen ports when it resolves
hostnames. And denying server rights to the Java app didn't stop it
resolving hostnames?

 

[Thomas Hawtin]

A Java app that uses only HTTPUrlConnections to access the net keeps
generating prompts from my firewall app that it wants to act as a
server -- apparently, a DNS server. This is rather strange. Why is it
attempting to open ports, when it's supposed to only retrieve Web links
now and again?

DNS in normal usage runs over UDP. UDP is connectionless. In order to
receive a response from the DNS server, the DNS client has to listen for
UDP packets on the chosen port.

Tom Hawtin

 

[tom fredriksen]

A Java app that uses only HTTPUrlConnections to access the net keeps
generating prompts from my firewall app that it wants to act as a
server -- apparently, a DNS server. This is rather strange. Why is it
attempting to open ports, when it's supposed to only retrieve Web links
now and again?

Is it requesting that the firewall open up port 53? in that case it is
implementing and using Universal PnP or something similar, hmm...

Can you explain more about how it is generating the prompts at the
firewall? Are you sure its not just trying to talk to someone else on
port 53.

You should use a net sniffer to have a look at the packets being
transferred to decrypt the communication. It might not be DNS request,
but it using port 53 for some reason.

/tom

 

[Nigel Wade]

A Java app that uses only HTTPUrlConnections to access the net keeps
generating prompts from my firewall app that it wants to act as a
server -- apparently, a DNS server. This is rather strange. Why is it
attempting to open ports, when it's supposed to only retrieve Web links
now and again?

Your firewall software is broken, has failed to grasp reality and is panicking.

 

[Twisted]

Doubtful -- it's ZoneAlarm, and it's fully up-to-date.

 

[tom fredriksen]

Doubtful -- it's ZoneAlarm, and it's fully up-to-date.

If you cant gives us more information about whats happening its very
difficult for us help you.

Did you do a trace of the network communication?

Could you give us more information about exactly what the message
zonealarm prints is and a small copy of the code you are using.

have you compared that to what the network trace shows

/tom

 

[Roedy Green]

I have heard that both Intel and AMD are about to release chips with
features to make it easier than ever to virtualise them.

Perhaps what you might do then in run your firewall in a different
virtual machine, and perhaps other functions could be carved off into
their own worlds to help cut down the rising complexity of
interactions.

At the very least there needs to be a way to put device drivers off
into their own boxes so no matter how they fail they can't take the
whole system down with it. Device drivers can never be as trusted as
the core OS, yet they need very low level access. This hints some sort
of radically different design is needed, perhaps using little CPUs on
all I/O cards.

I think back to the CDC 6600 with its array of I/O of ,was it a
dozen?, I/O processors (faked by one big one). The main CPU did not
get interrupted.

Uplevelling the hardware interface would work by allowing
communication only via shared ram with the i/o processor only able to
see small windows of it that were its business. A hardware disk
controller would interface at the level of the device driver does now,
or perhaps a notch or two higher -- implementing a whole file system
in its own clever way, e.g. with marthaing, lookup of files by a
variety of keys, including content, key, marthaing, multiple heads,
background defrag, raid, toggling, backup snapshots frozen in time
without shutting down everything, checkpoints, procrastinated writes,
pre-emptive reads, sequential lookahead...

As it is now, even a keyboard utility or driver can snoop and report
its findings out the i/o ports.

There are three motives for going to much stronger hardware
compartmentalisation:

1. greater stability through isolation in air-tight compartments.

2. greater security through isolation.

3. greater speed by allowing room for more evolution and competition
within the bigger hardware responsibility box.


The irony is infinitely malleable software, because it involves so
many interaction, becomes harder and harder to change anything. To
permit more evolution you must carve off pieces of the problem that
don't have much outside interaction so they can evolve independently.

I similarly want to build air tight boxes for applications so they
can't snoop or modify files or RAM or system settings none of their
business.

It should be federal crime for a app to move all associations to
itself without permission. It simply should not be possible no matter
how malicious the app.

 

[Bonney Armstrong]

Remove the ZA and the problem will disappear. I use a hardware firewall
instead and I don't experience those issues anymore. Just turning off
ZA is not enough. ZA locks you down too hard if you're a developer.
Good luck.

 

[Twisted]

You're talking about going from the prokaryotic computer to the
eukaryotic one ... fascinating.

 

[Roedy Green]

You're talking about going from the prokaryotic computer to the
eukaryotic one ... fascinating.

in biology, which type evolved first?