mandiant
Dnscache Registry Value breaks Internet Access
What's the problem?
Guest VM: Windows 11 Pro (Version: 10.0.26100)
After the install script is finished, internet access is broken:
Error: ERR_NAME_NOT_RESOLVED
The problem is the Windows DNS Service that gets disabled through the following line of code of the config.xml:
<registry-item name="Force DNS requests to always come from requesting process" path="HKLM:\SYSTEM\CurrentControlSet\services\Dnscache" value="Start" type="DWord" data="4" />
By changing the corresponding registry key back to the default value 2, internet access works
Can someone explain how this is intended to work without the Windows DNS Service? On my Windows 10 Guest VM, it works fine.
Steps to Reproduce
- Execute install script
- Try to connect to internet
Environment
- Virtualization software: VMware Workstation Pro
- VM OS version: 10.0.26100
- VM PowerShell version: 5.1.26100.2161
- VM Chocolatey version: 2.4.2
- VM Boxstarter version: Boxstarter|3.0.3
- VM-Get-Host-Info:
Host Information
VM OS version and Service Pack
-----
Version : 10.0.26100
BuildNumber : 26100
OSArchitecture : 64-bit
ServicePackMajorVersion : 0
Caption : Microsoft Windows 11 Pro
VM OS RAM (MB)
-----
8192
VM OS HDD Space / Usage
-----
DeviceID DriveType ProviderName VolumeName Size FreeSpace
-------- --------- ------------ ---------- ---- ---------
C: 3 128048951296 77226115072
D: 5 ESD-ISO 4957390848 0
VM AV Details
-----
AntiVirusProduct classname does not exist...
VM PowerShell Version
-----
5.1.26100.2161
VM CLR Version
-----
4.0.30319.42000
VM Chocolatey Version
-----
2.4.2
VM Boxstarter Version
-----
Boxstarter|3.0.3
Boxstarter.Bootstrapper|3.0.3
Boxstarter.Chocolatey|3.0.3
Boxstarter.Common|3.0.3
Boxstarter.HyperV|3.0.3
Boxstarter.WinConfig|3.0.3
VM Installed Packages
-----
010editor.vm|15.0.1
7zip.vm|23.1.0.20250206
apimonitor|2.13.0.20210213
apimonitor.vm|2.13.0.20220224
apktool.vm|2.11.0
autohotkey|1.1.37.1
autohotkey.install|2.0.19
autoit-ripper.vm|1.1.2
bindiff.vm|8.0.0.20240402
blobrunner.vm|0.0.5.20240411
blobrunner64.vm|0.0.5.20240411
Boxstarter|3.0.3
Boxstarter.Bootstrapper|3.0.3
Boxstarter.Chocolatey|3.0.3
Boxstarter.Common|3.0.3
Boxstarter.HyperV|3.0.3
Boxstarter.WinConfig|3.0.3
bytecodeviewer.vm|2.13.0
capa.vm|9.0.0
capa-explorer-web.vm|1.0.0
chocolatey|2.4.2
chocolatey-compatibility.extension|1.0.0
chocolatey-core.extension|1.4.0
chocolatey-dotnetfx.extension|1.0.1
chocolatey-visualstudio.extension|1.11.1
chocolatey-windowsupdate.extension|1.0.5
chrome.extensions.vm|0.0.0.20250123
Cmder|1.3.25
cmder.vm|1.3.25
codetrack|1.0.3.301
codetrack.vm|1.0.3.20230526
common.vm|0.0.0.20250203
cryptotester.vm|1.7.1.20240411
cyberchef.vm|10.19.4.20250117
Cygwin|3.5.7
cygwin.vm|3.5.7
de4dot-cex.vm|4.0.0.20240411
debloat.vm|0.0.0.20240327
dependencywalker|2.2.6000.9
dependencywalker.vm|2.2.6000
dex2jar.vm|2.3.0.20240411
didier-stevens-beta.vm|0.0.0.20240726
didier-stevens-suite.vm|0.0.0.20240726
die.vm|3.10.0
dll-to-exe.vm|1.1.0
dnlib.vm|4.0.0
dnspyex.vm|6.5.1
dotdumper.vm|1.1.0.20240411
DotNet3.5|3.5.20241212
dotnet-5.0-desktopruntime|5.0.17
dotnet5-desktop-runtime|5.0.6
dotnet-6.0-desktopruntime|6.0.36
dotnet-6.0-runtime|6.0.36
dotnet-6.0-sdk|6.0.428
dotnet-6.0-sdk-4xx|6.0.428
dotnet-6.vm|0.0.0.20240507
dotnet-8.0-desktopruntime|8.0.12
dotnet-8.vm|0.0.0.20250122
dotnetfx|4.8.0.20220524
explorersuite.vm|0.0.0.20250117
extreme_dumper.vm|4.0.0.20240603
ezviewer.vm|2.0.0.20240826
fakenet-ng.vm|3.3.0.20250117
file.vm|0.0.0.20240411
floss.vm|3.1.1
garbageman.vm|0.2.4.20240411
ghidra|11.2.1
ghidra.vm|11.2.1
git|2.47.1.20250115
git.install|2.47.1.20250115
googlechrome.vm|0.0.0.20250117
goresym.vm|3.0.1
graphviz|12.2.1
hashmyfiles.vm|0.0.0.20250110
hollowshunter.vm|0.4.0.20250206
hxd|2.5.0
hxd.vm|2.5.0.20230925
ida.plugin.capa.vm|8.0.1
ida.plugin.comida.vm|0.0.0.20240725
ida.plugin.dereferencing.vm|0.0.0.20241114
ida.plugin.diaphora.vm|3.2.1.20240725
ida.plugin.flare.vm|0.0.0.20240725
ida.plugin.hrtng.vm|2.2.21
ida.plugin.ifl.vm|1.4.4.20240725
ida.plugin.xray.vm|0.0.0.20250110
ida.plugin.xrefer.vm|1.0.3
idafree.vm|8.4.0.20250116
idr.vm|0.0.0.20230627
ifpstools.vm|2.0.2.20240411
ilspy|9.0.0
ilspy.vm|9.0.0
innoextract.vm|1.9.0.20240411
innounp.vm|0.50.0.20230710
installer.vm|0.0.0.20241002
internet_detector.vm|1.0.0.20241217
ipython.vm|8.27.0.20250122
isd.vm|1.5.0.20240217
js-beautify.vm|1.15.1.20240930
js-deobfuscator.vm|0.0.0.20240516
KB2919355|1.0.20160915
KB2919442|1.0.20160915
KB2999226|1.0.20181019
KB3033929|1.0.5
KB3035131|1.0.3
KB3063858|1.0.0
libraries.python3.vm|0.0.0.20241213
libraries-extra.python3.vm|0.0.0.20241029
magika.vm|0.5.0
malware-jail.vm|0.0.0.20240419
map.vm|0.0.0.20240416
nasm|2.16.3
nasm.vm|2.16.3
netfx-4.8|4.8.0.20220524
net-reactor-slayer|6.4.0
net-reactor-slayer.vm|6.4.0.20230621
nodejs|20.7.0
nodejs.install|20.7.0
nodejs.vm|0.0.0.20240827
notepadplusplus|8.7.6
notepadplusplus.install|8.7.6
notepadplusplus.vm|8.7.6
notepadpp.plugin.compare.vm|2.0.2
notepadpp.plugin.jstool.vm|1.2312.0
notepadpp.plugin.xmltools.vm|3.1.1.20231219
npcap.vm|1.80.20241216
obfuscator-io-deobfuscator.vm|0.0.0.20240514
offvis.vm|1.0.0.20240411
onenoteanalyzer.vm|0.0.0.20240226
openjdk|21.0.1
openjdk.vm|0.0.0.20240531
pdbresym.vm|1.3.6
pdfstreamdumper.vm|0.9.634.20240226
pe_unmapper.vm|1.0.0
pebear|0.7.0
pebear.vm|0.7.0
peid.vm|0.95.0.20240411
pesieve|0.4.0.1
pesieve.vm|0.4.0.20250205
pestudio.vm|9.60.0
pkg-unpacker.vm|1.0.0.20240419
pma-labs.vm|0.0.0.20240411
procdot.vm|1.22.57
processdump.vm|2.1.1.20240217
pycdas.vm|0.0.0.20250110
pycdc.vm|0.0.0.20250110
python3|3.10.11
python3.vm|0.0.0.20240726
python310|3.10.11
rat-king-parser.vm|4.0.1
recaf.vm|2.21.14
reg_export.vm|1.3.0.20240217
regcool.vm|2.22.0
regshot.vm|1.9.1.20240411
resourcehacker.portable|5.2.7
resourcehacker.vm|0.0.0.20240423
rundotnetdll.vm|2.2.0.20240411
scdbg.vm|0.0.0.20240411
sclauncher.vm|0.0.6
sclauncher64.vm|0.0.6
setdefaultbrowser|1.5.0
sfextract.vm|2.1.0
shellcode_launcher.vm|0.0.0.20240217
sysinternals.vm|0.0.0.20250117
systeminformer.vm|3.2.25036
uncompyle6.vm|3.9.2
uniextract2.vm|2.0.0.20240411
unpyc3.vm|0.0.0.20241206
upx.vm|4.2.4
vbdec.vm|1.0.917.20240614
vb-decompiler-lite.vm|12.5.0
vcbuildtools.vm|0.0.0.20240217
vcredist140|14.42.34433
vcredist140.vm|0.0.0.20241213
vcredist2010|10.0.40219.32503
vcredist2015|14.0.24215.20170201
vcredist2017|14.16.27052
visualstudio2017buildtools|15.9.58
visualstudio2017-workload-vctools|1.3.3
visualstudio-installer|2.0.3
vscode|1.96.4
vscode.extension.jupyter.vm|2024.6.2024060601
vscode.extension.python.vm|2024.9.11621011
vscode.install|1.96.4
vscode.vm|1.96.4
windump.vm|0.3.0
wireshark|4.4.3
wireshark.vm|4.4.3
x64dbg.plugin.dbgchild.vm|10.0.0
x64dbg.plugin.ollydumpex.vm|1.84.0.20240606
x64dbg.plugin.scyllahide.vm|1.4.0
x64dbg.plugin.x64dbgpy.vm|1.0.59.20240124
x64dbg.vm|2024.4.11.20240606
yara|4.5.2
yara.vm|4.5.2
Common Environment Variables
-----
VM_COMMON_DIR: C:\ProgramData\_VM
TOOL_LIST_DIR: C:\Users\user920\Desktop\Tools
RAW_TOOLS_DIR: C:\Tools
Additional Information
No response
This change was introduced in https://github.com/mandiant/flare-vm/pull/630 to force DNS requests to always come from requesting process. It should not break internet access.
I have tried the installation in Windows 10 and this does not break internet. I can't test it on Windows 11 at the moment. Can someone else confirm if they get this issue in Windows 11 too?
I have tried the installation in Windows 10 and this does not break internet. I can't test it on Windows 11 at the moment. Can someone else confirm if they get this issue in Windows 11 too?
I am running a fresh install on Windows 11 Pro to test this out. I previously ran into no internet issues in Windows 11 after starting the vm the next day, days later. Running this on Fedora 41 in VMware Workstation 17 Pro, version 17.6.2 build-24409262
Will update here within the next 1-2 hours.
Current Windows 11 vm Build info:
Edition Windows 11 Pro Version 24H2 Installed on 2/22/2025 OS build 26100.3194 Experience Windows Feature Experience Pack 1000.26100.48.0
I ran into this same issue after installing Flare on a new Windows 11 VM on VirtualBox. Setting the registry value back to 2 fixed the issue.
Edition Windows 11 Enterprise Version 24H2 Installed on 03/07/2025 OS build 26100.3194 Experience Windows Feature Experience Pack 1000.26100.48.0
Hi, same issue here.
Windows 11 Pro Version 24h2 Installed on 13/03/2025 OS build 26100.3476
I have tried the installation in Windows 10 and this does not break internet. I can't test it on Windows 11 at the moment. Can someone else confirm if they get this issue in Windows 11 too?
I can confirm that this issue has also occurred to me. It happened 2 days after installation. Nslookup returns addresses successfully, but ping and edge can't resolve domains. Wireshark shows that no DNS requests are made from those programs.
Environment
- Virtualization software: Proxmox
- VM OS version: 10.0.26100
- VM PowerShell version: 5.1.26100.2161
- VM Chocolatey version: 2.4.3
- VM Boxstarter version: Boxstarter|3.0.3
VM-Get-Host-Info:
Host InformationVM OS version and Service Pack
Version : 10.0.26100 BuildNumber : 26100 OSArchitecture : 64-bit ServicePackMajorVersion : 0 Caption : Microsoft Windows 11 Pro
VM OS RAM (MB)
8192
VM OS HDD Space / Usage
DeviceID DriveType ProviderName VolumeName Size FreeSpace
C: 3 106567823360 42550505472
D: 5 virtio-win-0.1.266 724434944 0
E: 5 ESD-ISO 4957390848 0
VM AV Details
AntiVirusProduct classname does not exist...
VM PowerShell Version
5.1.26100.2161
VM CLR Version
4.0.30319.42000
VM Chocolatey Version
2.4.3
VM Boxstarter Version
Boxstarter|3.0.3 Boxstarter.Bootstrapper|3.0.3 Boxstarter.Chocolatey|3.0.3 Boxstarter.Common|3.0.3 Boxstarter.HyperV|3.0.3 Boxstarter.WinConfig|3.0.3
VM Installed Packages
010editor.vm|15.0.1.20250219 7zip.vm|23.1.0.20250219 apimonitor|2.13.0.20210213 apimonitor.vm|2.13.0.20250219 apktool.vm|2.11.0.20250219 autohotkey|1.1.37.1 autohotkey.install|2.0.19 autoit-ripper.vm|1.1.2.20250219 bindiff.vm|8.0.0.20250219 blobrunner.vm|0.0.5.20250219 blobrunner64.vm|0.0.5.20250219 Boxstarter|3.0.3 Boxstarter.Bootstrapper|3.0.3 Boxstarter.Chocolatey|3.0.3 Boxstarter.Common|3.0.3 Boxstarter.HyperV|3.0.3 Boxstarter.WinConfig|3.0.3 bytecodeviewer.vm|2.13.0.20250219 capa.vm|9.0.0.20250219 capa-explorer-web.vm|1.0.0.20250219 chocolatey|2.4.3 chocolatey-compatibility.extension|1.0.0 chocolatey-core.extension|1.4.0 chocolatey-dotnetfx.extension|1.0.1 chocolatey-visualstudio.extension|1.11.1 chocolatey-windowsupdate.extension|1.0.5 Cmder|1.3.25 cmder.vm|1.3.25.20250219 codetrack|1.0.3.301 codetrack.vm|1.0.3.20250219 common.vm|0.0.0.20250206 cryptotester.vm|1.7.1.20250219 cyberchef.vm|10.19.4.20250219 Cygwin|3.5.7 cygwin.vm|3.5.7.20250219 de4dot-cex.vm|4.0.0.20250219 debloat.vm|0.0.0.20240327 dependencywalker|2.2.6000.9 dependencywalker.vm|2.2.6000.20250219 dex2jar.vm|2.3.0.20250219 didier-stevens-beta.vm|0.0.0.20250219 didier-stevens-suite.vm|0.0.0.20250219 die.vm|3.10.20250219 dll-to-exe.vm|1.1.20250219 dnlib.vm|4.0.0.20250219 dnspyex.vm|6.5.1.20250219 dotdumper.vm|1.1.0.20250219 DotNet3.5|3.5.20241212 dotnet-5.0-desktopruntime|5.0.17 dotnet5-desktop-runtime|5.0.6 dotnet-6.0-desktopruntime|6.0.36 dotnet-6.0-runtime|6.0.36 dotnet-6.0-sdk|6.0.428 dotnet-6.0-sdk-4xx|6.0.428 dotnet-6.vm|0.0.0.20250219 dotnet-8.0-desktopruntime|8.0.13 dotnet-8.vm|0.0.0.20250219 dotnetfx|4.8.0.20220524 explorersuite.vm|0.0.0.20250219 extreme_dumper.vm|4.0.0.20250219 ezviewer.vm|2.0.0.20250219 fakenet-ng.vm|3.3.0.20250220 file.vm|0.0.0.20250220 floss.vm|3.1.1.20250220 garbageman.vm|0.2.4.20250219 ghidra|11.2.1 ghidra.vm|11.2.1.20250219 git|2.48.1 git.install|2.48.1 googlechrome.vm|0.0.0.20250218 goresym.vm|3.0.1.20250219 graphviz|12.2.1 hashmyfiles.vm|0.0.0.20250219 hollowshunter.vm|0.4.0.20250219 hxd|2.5.0 hxd.vm|2.5.0.20250219 ida.plugin.comida.vm|0.0.0.20250213 ida.plugin.dereferencing.vm|0.0.0.20250213 ida.plugin.diaphora.vm|3.2.1.20250213 ida.plugin.flare.vm|0.0.0.20250213 ida.plugin.hrtng.vm|2.2.21.20250213 ida.plugin.ifl.vm|1.4.4.20250213 ida.plugin.xray.vm|0.0.0.20250213 idafree.vm|8.4.0.20250219 idr.vm|0.0.0.20250219 ifpstools.vm|2.0.2.20250219 ilspy|9.0.0 ilspy.vm|9.0.0.20250219 innoextract.vm|1.9.0.20250219 innounp.vm|0.50.0.20250219 isd.vm|1.5.0.20250219 js-beautify.vm|1.15.1.20250219 js-deobfuscator.vm|0.0.0.20250219 KB2919355|1.0.20160915 KB2919442|1.0.20160915 KB2999226|1.0.20181019 KB3033929|1.0.5 KB3035131|1.0.3 KB3063858|1.0.0 libraries.python3.vm|0.0.0.20250218 map.vm|0.0.0.20250219 nasm|2.16.3 nasm.vm|2.16.3.20250219 netfx-4.8|4.8.0.20220524 net-reactor-slayer|6.4.0 net-reactor-slayer.vm|6.4.0.20250219 nodejs|20.7.0 nodejs.install|20.7.0 nodejs.vm|0.0.0.20250219 notepadplusplus|8.7.6 notepadplusplus.install|8.7.6 notepadplusplus.vm|8.7.6.20250220 notepadpp.plugin.compare.vm|2.0.2.20250218 notepadpp.plugin.jstool.vm|1.2312.0.20250218 notepadpp.plugin.xmltools.vm|3.1.1.20250218 npcap.vm|1.80.20250219 obfuscator-io-deobfuscator.vm|0.0.0.20250219 offvis.vm|1.0.0.20250219 onenoteanalyzer.vm|0.0.0.20250219 openjdk|21.0.1 openjdk.vm|0.0.0.20250218 pdbresym.vm|1.3.6.20250219 pdfstreamdumper.vm|0.9.634.20250219 pe_unmapper.vm|1.0.20250219 pebear|0.7.0 pebear.vm|0.7.0.20250219 peid.vm|0.95.0.20250219 pesieve|0.4.0.1 pesieve.vm|0.4.0.20250219 pestudio.vm|9.60.20250219 pkg-unpacker.vm|1.0.0.20250219 pma-labs.vm|0.0.0.20250219 procdot.vm|1.22.57.20250219 processdump.vm|2.1.1.20250219 pycdas.vm|0.0.0.20250219 pycdc.vm|0.0.0.20250219 python3|3.10.11 python3.vm|0.0.0.20250218 python310|3.10.11 recaf.vm|2.21.14.20250219 reg_export.vm|1.3.0.20250219 regcool.vm|2.22.20250220 regshot.vm|1.9.1.20250219 rundotnetdll.vm|2.2.0.20250219 scdbg.vm|0.0.0.20250219 sclauncher.vm|0.0.6.20250219 sclauncher64.vm|0.0.6.20250219 setdefaultbrowser|1.5.0 sfextract.vm|2.1.0.20250219 shellcode_launcher.vm|0.0.0.20250219 sysinternals.vm|0.0.0.20250219 systeminformer.vm|3.2.25036.20250219 uniextract2.vm|2.0.0.20250219 upx.vm|4.2.4.20250219 vbdec.vm|1.0.917.20250219 vb-decompiler-lite.vm|12.5.20250219 vcbuildtools.vm|0.0.0.20250228 vcredist140|14.42.34438.20250221 vcredist140.vm|0.0.0.20250220 vcredist2010|10.0.40219.32503 vcredist2015|14.0.24215.20170201 vcredist2017|14.16.27052 visualstudio2017buildtools|15.9.58 visualstudio2017-workload-vctools|1.3.3 visualstudio-installer|2.0.3 windump.vm|0.3.20250219
Common Environment Variables
VM_COMMON_DIR: C:\ProgramData_VM TOOL_LIST_DIR: C:\Users\PC\Desktop\Tools RAW_TOOLS_DIR: C:\Tools
Hi, want to back this up too. Fresh Windows 11 Pro installation set the value to 4, therefore no internet connection, setting this the value back to "2" did the trick. Thanks @buu-huu
@emtuls has confirmed that the registry change in https://github.com/mandiant/flare-vm/pull/630 to force DNS requests to always come from the requesting process breaks internet in Windows 11. Does anyone knows of a different way to force DNS requests to always come from the requesting process that does not break internet in Windows 11?
If not, we have two options:
- Remove the registry change completely.
- Move the registry change to the debloat package, only for Windows 10 (we have two different configs for Windows 10 and 11) if @mandiant/commando-vm is ok with it.
@emtuls prefers option 1. in case the registry modification breaks something else. I tend to option 2, as I like to see the process of the request in fakenet, although it does not always works well (as reported in https://github.com/mandiant/flare-fakenet-ng/issues/205).
@mandiant/flare-vm opinions?
@emtuls has confirmed that the registry change in #630 to force DNS requests to always come from the requesting process breaks internet in Windows 11. Does anyone knows of a different way to force DNS requests to always come from the requesting process that does not break internet in Windows 11?
If not, we have two options:
1. Remove the registry change completely. 2. Move the registry change to the debloat package, only for Windows 10 (we have two different configs for Windows 10 and 11) if @mandiant/commando-vm is ok with it.@emtuls prefers option 1. in case the registry modification breaks something else. I tend to option 2, as I like to see the process of the request in fakenet, although it does not always works well (as reported in mandiant/flare-fakenet-ng#205).
@mandiant/flare-vm opinions?
I'm for option #2 as well.
This worked for me and then reboot.
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache" /v Start /t REG_DWORD /d 2 /f
We have now moved the registry change to only Windows 10 in https://github.com/mandiant/VM-Packages/pull/1463 and https://github.com/mandiant/flare-vm/pull/711. If someone still experiences internet issues in Windows 11, please open a new issue.