Multicast?

[sidbonkers]

Any idea why Palemoon 12.2.1 is attempting to connect to IP 224.0.0.252 every 5 minutes or so? The only change on my PC recently was updating the Java RE. Thanks

[Moonchild]

224.0.0.252 is a multicast address limited to your local subnet. It could be your computer is using Link-Local Multicast Name Resolution (LLMNR) to find other computers on the local network. LLMNR broadcasts use this IP address.

Further info:
http://en.wikipedia.org/wiki/Link-local ... Resolution

To disable LLMNR:

1. by using Group Policy, run "gpedit.msc"
   Computer Configuration\Administrative Templates\Network\DNS Client\Turn off Multicast Name Resolution = Enabled
   Note: the group policy editor is only available in Windows Professional and up
2. by editing the registry Registry:
   HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast = 0x0

[sidbonkers]

Thanks for the quick reply. It certainly looks like LLMNR - it's trying to contact 224.0.0.252 port 5355 over UDP. But Network Discovery is off, I don't run a DNS Client (I have disabled dnscache and use OpenDNS for IP address resolution) and I have the LLMNR service disabled. I'm using Vista home SP2 and connect to the internet via a LAN cable to a Virgin-Media (UK) router. There are no other computers or devices connected to the router that I know of. Commodo firewall blocks Palemoon trying this address every 5 minutes or so (it's not completely regular). Is one of the Addons for Palemoon doing this? Neither Commodo, Avast or Avira (all running) are flagging a virus. Thanks again.

[Moonchild]

If it's LLMNR (looks like it with that port) then it is a DNS lookup in Pale Moon that triggers this. Not likely add-on related.
Mind you, these lookups are perfectly safe, unless you don't trust your LAN...
Disabling dnscache doesn't necessarily mean the dns client in windows isn't running (it tends to be required in Vista/7 at all times). So try the second solution (since you are on a Home version you won't have the group policy editor) with regedit, and reboot your system after making the change.

[buggy]

First you should not trust Comodo: http://dottech.org/tipsntricks/keeping- ... o-products
And second you should not have two antivirus running together.

[sidbonkers]

There is no DNSCLIENT entry anywhere in my registry and the dnscache service is disabled in Services. The attempt to access the multicast address happens as soon as Palemoon is started and continues regularly afterwards, but only when Palemoon is running. I uninstalled Palemoon 12 with Revo Uninstaller Pro (having originally traced its installation) Then I scanned and cleaned the registry (not much left over, to be honest). Then I downloaded PM 15 from the official site and ran it in safe mode..... it immediately attempted to contact 224.0.0.252. This doesn't happen with Firefox. It doesn't even happen with Palemoon 15 portable. Am I paranoid about software accessing addresses without my permission? Very probably!
(BTW buggy - 5 years without a virus.... I'll stick to belt and braces)
Many thanks for your time on this question - and thanks for the program itself.

[buggy]

Not a trojan don't worry, just another help for newbies

"Link-Local Multicast Protocol Name Resolution" developped by Apple and after by Microsoft.

LLMNR allows inexperienced users to connect computers, network printers, or other devices together to make them running automatically.

Zeroconf currently solves 3 problems:
1) Choose the numeric addresses for each network device
2) Specify which computer has what name
3) Specify which computer which provides service (service discovery)

http://en.wikipedia.org/wiki/Link-local ... Resolution
http://en.wikipedia.org/wiki/Zeroconf

[Moonchild]

This doesn't happen with Firefox. It doesn't even happen with Palemoon 15 portable. Am I paranoid about software accessing addresses without my permission? Very probably!

OK, a few things to clarify, then:

• If it doesn't happen with Firefox or with Pale Moon Portable, then it is something specific to either your current profile, possibly a non-standard preference setting, or an entry in your Windows networking setup that attempts to resolve addresses locally first with LLMNR.
• The fact that the browser does a name lookup immediately when starting is likely related to the fact that Pale Moon contacts a few servers on its own, e.g. for safebrowsing services and add-on blocklists, as well as update checking. This is normal. The portable version has safebrowsing disabled by default (since the intended use is on a stick and the safebrowsing database gets quite large) so may not do a lookup as quickly.
• Firefox probably has a predefined set of rules in Comodo to allow this kind of traffic without warning you. Comodo won't have preset rules for non-mainstream products like Pale Moon.
• The address is, I repeat, restricted to your local network (it is non-routable), and therefore won't cause any traffic to the outside world. So... relax!

[buggy]

Maybe preset rules for Firefox and sure preset rules for Comodo Dragon

[sidbonkers]

OK Moonchild - thanks for the info. Firefox does indeed contact that multicast address - I set up Comodo myself to allow FF all in/out connections but used a predefined set of rules("browser") for PM. A quick google shows other browsers doing the same. Paranoia attack over - I really should get out more. Do I really want to know why browsers broadcast to this address? Naaah
Thanks again for the work on PM - it works a treat on my old Vista machine.