Jump to content

malwarebytes breaks DNS resolution


Recommended Posts

I am having the same issue on windows 10...

So this started happening about a month ago and I finally got to the point in troubleshooting I could pinpoint where the issue is.

Randomly it seems, local internal network DNS entries were getting modified to completely random IP addresses. For example, I would have a web server at 10.40.x.x and all of a sudden I get 404 errors, and when I ping, the IP would be 10.21.x.x or a different subnet within our network. After examining my domain controllers and DNS, I found they are translating the IP correctly, but the bad one is coming from a loopback IP of 127.42.x.x.

So in troubleshooting, I decided to turn off Malwarebytes web protection, which appears to be running a local proxy server and doing some DNS filtering. As soon as I turn it off, I don't even have to flush the DNS cache, the pings return the correct IP from the domain controllers/DNS servers.

Is there a setting somewhere, where I can tell it NOT to override IP addresses for local domains? I don't want to turn this off every time I come to the office just so I can continue to browse to internal resources without issue.

EDIT: I am using 3.0.6 on Windows 10 Pro Creators, Production Ring.

Here is an example:

Webprotection is off:

Pinging server.domain.com [10.40.x.x] with 32 bytes of data:

Reply from 10.40.x.x: bytes=32 time=3ms TTL=124

 

Webprotection turned right back on:

Pinging server.domain.com [127.42.0.0] with 32 bytes of data:

Reply from 10.40.x.x: bytes=32 time=3ms TTL=124

 

30 min after webprotection turned on:

Pinging server.domain.com [127.42.0.1] with 32 bytes of data:

Reply from 10.21.x.x bytes=32 time=1ms TTL=127

 

It's doing something completely wonky with the DNS with a local DNS proxy associated with WebProtection.  I have my entire domains excluded, but that doesn't seem to help. 

Edited by schmak01
update
Link to post
Share on other sites

Just another fun example from this morning, trying to go to the same internal URL I went to in the previous post:

Web Protection ON:

Pinging server.domain.com [127.42.0.28] with 32 bytes of data:
Request timed out.
General failure.
General failure.
General failure.

Ping statistics for 127.42.0.28:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

And after I immediately turned web protection off, no other changes:

Pinging server.domain.com [10.40.x.x] with 32 bytes of data:
Reply from 10.40.x.x: bytes=32 time=3ms TTL=124
Reply from 10.40.x.x: bytes=32 time=3ms TTL=124
Reply from 10.40.x.x: bytes=32 time=3ms TTL=124
Reply from 10.40.x.x: bytes=32 time=2ms TTL=124

Ping statistics for 10.40.x.x
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 3ms, Average = 2ms

 

 

Please keep in mind these are not the internet/externally available IP addresses and DNS entries, these are all from my internal DNS server.  Malwarebytes is overriding the local DNS with inaccurate IP addresses, or it's internal DNS cache is getting corrupted. 

Link to post
Share on other sites

If it helps, we were able to fix this by looking at my hosts file.

I hadn't looked at it since I ran TRON a few weeks past, and it looks like Spybot Search and destroy put a ton of entries for MSFT related sites to 0.0.0.0.  We removed those entries, and so far so good. Over 24 hours now and no more IP changes. 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.