LEO: .... Kyle Hasegawa of Tokyo, Japan clarifies Zone Labs' DNS usage. Remember we had last time a question saying, hey, I was watching ZoneAlarm with Wireshark and all this. Dear Steve and Leo: After hearing about ZoneAlarm phoning home from one of the other listeners, I decided to test this out for myself. I set up a virtual machine to install the latest ZoneAlarm v8.0.065.0000 and enabled PCAP on my router. Here's what I found. ZoneAlarm does not send DNS requests to its own servers. But it does request lookups of zonelabs.com and register.zonelabs.com on the DNS servers configured in Windows. In fact, I don't think an application can override the system's DNS server list when making DNS requests through ServiceHost.
STEVE: I think that's probably true. I was wondering about that myself.
LEO: ZoneAlarm does phone home just after installation, but it does so using a normal browser window and some ASP thank-you-for-installing pages with non-personal information about your instance of ZoneAlarm appended as query string parameters. Also, strangely, ZoneAlarm does continue to query zonelabs.com every 10 seconds. That's what our other listener was seeing.
STEVE: Right.
LEO: But these are normal queries to the configured DNS servers. There's no extra data going on. So what's going on? Why is it doing that?
STEVE: Well, I wanted to clarify. We left this sort of pending. What the other user saw with Wireshark was not queries to Zone Labs' servers, but queries of Zone Labs. So he saw this little 10-second heartbeat querying zonelabs.com. The only thing I can think is that maybe it's a way of detecting 'Net connection, whether your system is currently connected to the Internet. Because those queries are not - if they're just going out to your registered DNS servers, the first time you do it it's going to cache in your ISP's resolver, as we all know from understanding how DNS works. Subsequently, for as long as the TTL, the Time To Live, of the records which were received from Zone Labs servers are living in your own ISP's cache, it's going to be responding.
So my feeling is this must be a way, this must be the way that the ZoneAlarm Firewall keeps a constant watch on whether you have an Internet connection or not. Because when you drop off the Internet, then the system's attempt to get an update on zonelabs.com would fail. And so that must be what it's doing. It's using this little heartbeat to sense a connection to the system's configured DNS servers. When that no longer exists, that will fail. And so that's the way Zone Labs knows, or ZoneAlarm, the product, knows that your machine is no longer on the Internet. But it's definitely not a phone-home technology, and there's no information dribbling out of them, from what Kyle has said. And what Kyle has said makes absolute sense to me.
LEO: Well, I'm glad to get that. And as I said last time, we're just listening to what the listeners are saying. We haven't done any verification on our own. So there's two different stories going on, and who knows what's really going on. But that kind of makes sense. It's a ping to say, am I alive?
STEVE: Right.
LEO: And that would make sense. And with no extra data going out. And that's not - what Kyle is saying is not inconsistent with what our first guy was saying. He wasn't looking at what they were sending out.
STEVE: Right.
