Dnscache Registry Value breaks Internet Access

[buu-huu]

What's the problem?

Guest VM: Windows 11 Pro (Version: 10.0.26100)

After the install script is finished, internet access is broken:

Error: ERR_NAME_NOT_RESOLVED

The problem is the Windows DNS Service that gets disabled through the following line of code of the config.xml:

<registry-item name="Force DNS requests to always come from requesting process" path="HKLM:\SYSTEM\CurrentControlSet\services\Dnscache" value="Start" type="DWord" data="4" />

By changing the corresponding registry key back to the default value 2, internet access works

Can someone explain how this is intended to work without the Windows DNS Service? On my Windows 10 Guest VM, it works fine.

Steps to Reproduce

1. Execute install script
2. Try to connect to internet

Environment

• Virtualization software: VMware Workstation Pro
• VM OS version: 10.0.26100
• VM PowerShell version: 5.1.26100.2161
• VM Chocolatey version: 2.4.2
• VM Boxstarter version: Boxstarter|3.0.3
• VM-Get-Host-Info:

Host Information

VM OS version and Service Pack
-----


Version                 : 10.0.26100
BuildNumber             : 26100
OSArchitecture          : 64-bit
ServicePackMajorVersion : 0
Caption                 : Microsoft Windows 11 Pro





VM OS RAM (MB)
-----
8192


VM OS HDD Space / Usage
-----

DeviceID DriveType ProviderName VolumeName Size         FreeSpace
-------- --------- ------------ ---------- ----         ---------
C:       3                                 128048951296 77226115072
D:       5                      ESD-ISO    4957390848   0




VM AV Details
-----
AntiVirusProduct classname does not exist...

VM PowerShell Version
-----
5.1.26100.2161

VM CLR Version
-----
4.0.30319.42000

VM Chocolatey Version
-----
2.4.2

VM Boxstarter Version
-----

Boxstarter|3.0.3
Boxstarter.Bootstrapper|3.0.3
Boxstarter.Chocolatey|3.0.3
Boxstarter.Common|3.0.3
Boxstarter.HyperV|3.0.3
Boxstarter.WinConfig|3.0.3




VM Installed Packages
-----
010editor.vm|15.0.1
7zip.vm|23.1.0.20250206
apimonitor|2.13.0.20210213
apimonitor.vm|2.13.0.20220224
apktool.vm|2.11.0
autohotkey|1.1.37.1
autohotkey.install|2.0.19
autoit-ripper.vm|1.1.2
bindiff.vm|8.0.0.20240402
blobrunner.vm|0.0.5.20240411
blobrunner64.vm|0.0.5.20240411
Boxstarter|3.0.3
Boxstarter.Bootstrapper|3.0.3
Boxstarter.Chocolatey|3.0.3
Boxstarter.Common|3.0.3
Boxstarter.HyperV|3.0.3
Boxstarter.WinConfig|3.0.3
bytecodeviewer.vm|2.13.0
capa.vm|9.0.0
capa-explorer-web.vm|1.0.0
chocolatey|2.4.2
chocolatey-compatibility.extension|1.0.0
chocolatey-core.extension|1.4.0
chocolatey-dotnetfx.extension|1.0.1
chocolatey-visualstudio.extension|1.11.1
chocolatey-windowsupdate.extension|1.0.5
chrome.extensions.vm|0.0.0.20250123
Cmder|1.3.25
cmder.vm|1.3.25
codetrack|1.0.3.301
codetrack.vm|1.0.3.20230526
common.vm|0.0.0.20250203
cryptotester.vm|1.7.1.20240411
cyberchef.vm|10.19.4.20250117
Cygwin|3.5.7
cygwin.vm|3.5.7
de4dot-cex.vm|4.0.0.20240411
debloat.vm|0.0.0.20240327
dependencywalker|2.2.6000.9
dependencywalker.vm|2.2.6000
dex2jar.vm|2.3.0.20240411
didier-stevens-beta.vm|0.0.0.20240726
didier-stevens-suite.vm|0.0.0.20240726
die.vm|3.10.0
dll-to-exe.vm|1.1.0
dnlib.vm|4.0.0
dnspyex.vm|6.5.1
dotdumper.vm|1.1.0.20240411
DotNet3.5|3.5.20241212
dotnet-5.0-desktopruntime|5.0.17
dotnet5-desktop-runtime|5.0.6
dotnet-6.0-desktopruntime|6.0.36
dotnet-6.0-runtime|6.0.36
dotnet-6.0-sdk|6.0.428
dotnet-6.0-sdk-4xx|6.0.428
dotnet-6.vm|0.0.0.20240507
dotnet-8.0-desktopruntime|8.0.12
dotnet-8.vm|0.0.0.20250122
dotnetfx|4.8.0.20220524
explorersuite.vm|0.0.0.20250117
extreme_dumper.vm|4.0.0.20240603
ezviewer.vm|2.0.0.20240826
fakenet-ng.vm|3.3.0.20250117
file.vm|0.0.0.20240411
floss.vm|3.1.1
garbageman.vm|0.2.4.20240411
ghidra|11.2.1
ghidra.vm|11.2.1
git|2.47.1.20250115
git.install|2.47.1.20250115
googlechrome.vm|0.0.0.20250117
goresym.vm|3.0.1
graphviz|12.2.1
hashmyfiles.vm|0.0.0.20250110
hollowshunter.vm|0.4.0.20250206
hxd|2.5.0
hxd.vm|2.5.0.20230925
ida.plugin.capa.vm|8.0.1
ida.plugin.comida.vm|0.0.0.20240725
ida.plugin.dereferencing.vm|0.0.0.20241114
ida.plugin.diaphora.vm|3.2.1.20240725
ida.plugin.flare.vm|0.0.0.20240725
ida.plugin.hrtng.vm|2.2.21
ida.plugin.ifl.vm|1.4.4.20240725
ida.plugin.xray.vm|0.0.0.20250110
ida.plugin.xrefer.vm|1.0.3
idafree.vm|8.4.0.20250116
idr.vm|0.0.0.20230627
ifpstools.vm|2.0.2.20240411
ilspy|9.0.0
ilspy.vm|9.0.0
innoextract.vm|1.9.0.20240411
innounp.vm|0.50.0.20230710
installer.vm|0.0.0.20241002
internet_detector.vm|1.0.0.20241217
ipython.vm|8.27.0.20250122
isd.vm|1.5.0.20240217
js-beautify.vm|1.15.1.20240930
js-deobfuscator.vm|0.0.0.20240516
KB2919355|1.0.20160915
KB2919442|1.0.20160915
KB2999226|1.0.20181019
KB3033929|1.0.5
KB3035131|1.0.3
KB3063858|1.0.0
libraries.python3.vm|0.0.0.20241213
libraries-extra.python3.vm|0.0.0.20241029
magika.vm|0.5.0
malware-jail.vm|0.0.0.20240419
map.vm|0.0.0.20240416
nasm|2.16.3
nasm.vm|2.16.3
netfx-4.8|4.8.0.20220524
net-reactor-slayer|6.4.0
net-reactor-slayer.vm|6.4.0.20230621
nodejs|20.7.0
nodejs.install|20.7.0
nodejs.vm|0.0.0.20240827
notepadplusplus|8.7.6
notepadplusplus.install|8.7.6
notepadplusplus.vm|8.7.6
notepadpp.plugin.compare.vm|2.0.2
notepadpp.plugin.jstool.vm|1.2312.0
notepadpp.plugin.xmltools.vm|3.1.1.20231219
npcap.vm|1.80.20241216
obfuscator-io-deobfuscator.vm|0.0.0.20240514
offvis.vm|1.0.0.20240411
onenoteanalyzer.vm|0.0.0.20240226
openjdk|21.0.1
openjdk.vm|0.0.0.20240531
pdbresym.vm|1.3.6
pdfstreamdumper.vm|0.9.634.20240226
pe_unmapper.vm|1.0.0
pebear|0.7.0
pebear.vm|0.7.0
peid.vm|0.95.0.20240411
pesieve|0.4.0.1
pesieve.vm|0.4.0.20250205
pestudio.vm|9.60.0
pkg-unpacker.vm|1.0.0.20240419
pma-labs.vm|0.0.0.20240411
procdot.vm|1.22.57
processdump.vm|2.1.1.20240217
pycdas.vm|0.0.0.20250110
pycdc.vm|0.0.0.20250110
python3|3.10.11
python3.vm|0.0.0.20240726
python310|3.10.11
rat-king-parser.vm|4.0.1
recaf.vm|2.21.14
reg_export.vm|1.3.0.20240217
regcool.vm|2.22.0
regshot.vm|1.9.1.20240411
resourcehacker.portable|5.2.7
resourcehacker.vm|0.0.0.20240423
rundotnetdll.vm|2.2.0.20240411
scdbg.vm|0.0.0.20240411
sclauncher.vm|0.0.6
sclauncher64.vm|0.0.6
setdefaultbrowser|1.5.0
sfextract.vm|2.1.0
shellcode_launcher.vm|0.0.0.20240217
sysinternals.vm|0.0.0.20250117
systeminformer.vm|3.2.25036
uncompyle6.vm|3.9.2
uniextract2.vm|2.0.0.20240411
unpyc3.vm|0.0.0.20241206
upx.vm|4.2.4
vbdec.vm|1.0.917.20240614
vb-decompiler-lite.vm|12.5.0
vcbuildtools.vm|0.0.0.20240217
vcredist140|14.42.34433
vcredist140.vm|0.0.0.20241213
vcredist2010|10.0.40219.32503
vcredist2015|14.0.24215.20170201
vcredist2017|14.16.27052
visualstudio2017buildtools|15.9.58
visualstudio2017-workload-vctools|1.3.3
visualstudio-installer|2.0.3
vscode|1.96.4
vscode.extension.jupyter.vm|2024.6.2024060601
vscode.extension.python.vm|2024.9.11621011
vscode.install|1.96.4
vscode.vm|1.96.4
windump.vm|0.3.0
wireshark|4.4.3
wireshark.vm|4.4.3
x64dbg.plugin.dbgchild.vm|10.0.0
x64dbg.plugin.ollydumpex.vm|1.84.0.20240606
x64dbg.plugin.scyllahide.vm|1.4.0
x64dbg.plugin.x64dbgpy.vm|1.0.59.20240124
x64dbg.vm|2024.4.11.20240606
yara|4.5.2
yara.vm|4.5.2


Common Environment Variables
-----
VM_COMMON_DIR: C:\ProgramData\_VM
TOOL_LIST_DIR: C:\Users\user920\Desktop\Tools
RAW_TOOLS_DIR: C:\Tools

Additional Information

No response

[Ana06]

This change was introduced in #630 to force DNS requests to always come from requesting process. It should not break internet access.

[Ana06]

I have tried the installation in Windows 10 and this does not break internet. I can't test it on Windows 11 at the moment. Can someone else confirm if they get this issue in Windows 11 too?

[drumtechphoto]

I have tried the installation in Windows 10 and this does not break internet. I can't test it on Windows 11 at the moment. Can someone else confirm if they get this issue in Windows 11 too?

I am running a fresh install on Windows 11 Pro to test this out. I previously ran into no internet issues in Windows 11 after starting the vm the next day, days later. Running this on Fedora 41 in VMware Workstation 17 Pro, version 17.6.2 build-24409262

Will update here within the next 1-2 hours.

Current Windows 11 vm Build info:

Edition Windows 11 Pro
Version 24H2
Installed on ‎2/‎22/‎2025
OS build 26100.3194
Experience Windows Feature Experience Pack 1000.26100.48.0

[kenzobenj]

I ran into this same issue after installing Flare on a new Windows 11 VM on VirtualBox. Setting the registry value back to 2 fixed the issue.

Edition Windows 11 Enterprise
Version 24H2
Installed on ‎03/07/2025
OS build 26100.3194
Experience Windows Feature Experience Pack 1000.26100.48.0

[mikukula]

Hi, same issue here.

Windows 11 Pro
Version 24h2
Installed on 13/03/2025
OS build 26100.3476

[googhigg]

I have tried the installation in Windows 10 and this does not break internet. I can't test it on Windows 11 at the moment. Can someone else confirm if they get this issue in Windows 11 too?

I can confirm that this issue has also occurred to me. It happened 2 days after installation.
Nslookup returns addresses successfully, but ping and edge can't resolve domains.
Wireshark shows that no DNS requests are made from those programs.

Environment

• Virtualization software: Proxmox
• VM OS version: 10.0.26100
• VM PowerShell version: 5.1.26100.2161
• VM Chocolatey version: 2.4.3
• VM Boxstarter version: Boxstarter|3.0.3

VM-Get-Host-Info:

Host Information

VM OS version and Service Pack

Version : 10.0.26100
BuildNumber : 26100
OSArchitecture : 64-bit
ServicePackMajorVersion : 0
Caption : Microsoft Windows 11 Pro

VM OS RAM (MB)

8192

VM OS HDD Space / Usage

DeviceID DriveType ProviderName VolumeName Size FreeSpace

---

C: 3 106567823360 42550505472
D: 5 virtio-win-0.1.266 724434944 0
E: 5 ESD-ISO 4957390848 0

VM AV Details

AntiVirusProduct classname does not exist...

VM PowerShell Version

5.1.26100.2161

VM CLR Version

4.0.30319.42000

VM Chocolatey Version

2.4.3

VM Boxstarter Version

Boxstarter|3.0.3
Boxstarter.Bootstrapper|3.0.3
Boxstarter.Chocolatey|3.0.3
Boxstarter.Common|3.0.3
Boxstarter.HyperV|3.0.3
Boxstarter.WinConfig|3.0.3

VM Installed Packages

010editor.vm|15.0.1.20250219
7zip.vm|23.1.0.20250219
apimonitor|2.13.0.20210213
apimonitor.vm|2.13.0.20250219
apktool.vm|2.11.0.20250219
autohotkey|1.1.37.1
autohotkey.install|2.0.19
autoit-ripper.vm|1.1.2.20250219
bindiff.vm|8.0.0.20250219
blobrunner.vm|0.0.5.20250219
blobrunner64.vm|0.0.5.20250219
Boxstarter|3.0.3
Boxstarter.Bootstrapper|3.0.3
Boxstarter.Chocolatey|3.0.3
Boxstarter.Common|3.0.3
Boxstarter.HyperV|3.0.3
Boxstarter.WinConfig|3.0.3
bytecodeviewer.vm|2.13.0.20250219
capa.vm|9.0.0.20250219
capa-explorer-web.vm|1.0.0.20250219
chocolatey|2.4.3
chocolatey-compatibility.extension|1.0.0
chocolatey-core.extension|1.4.0
chocolatey-dotnetfx.extension|1.0.1
chocolatey-visualstudio.extension|1.11.1
chocolatey-windowsupdate.extension|1.0.5
Cmder|1.3.25
cmder.vm|1.3.25.20250219
codetrack|1.0.3.301
codetrack.vm|1.0.3.20250219
common.vm|0.0.0.20250206
cryptotester.vm|1.7.1.20250219
cyberchef.vm|10.19.4.20250219
Cygwin|3.5.7
cygwin.vm|3.5.7.20250219
de4dot-cex.vm|4.0.0.20250219
debloat.vm|0.0.0.20240327
dependencywalker|2.2.6000.9
dependencywalker.vm|2.2.6000.20250219
dex2jar.vm|2.3.0.20250219
didier-stevens-beta.vm|0.0.0.20250219
didier-stevens-suite.vm|0.0.0.20250219
die.vm|3.10.20250219
dll-to-exe.vm|1.1.20250219
dnlib.vm|4.0.0.20250219
dnspyex.vm|6.5.1.20250219
dotdumper.vm|1.1.0.20250219
DotNet3.5|3.5.20241212
dotnet-5.0-desktopruntime|5.0.17
dotnet5-desktop-runtime|5.0.6
dotnet-6.0-desktopruntime|6.0.36
dotnet-6.0-runtime|6.0.36
dotnet-6.0-sdk|6.0.428
dotnet-6.0-sdk-4xx|6.0.428
dotnet-6.vm|0.0.0.20250219
dotnet-8.0-desktopruntime|8.0.13
dotnet-8.vm|0.0.0.20250219
dotnetfx|4.8.0.20220524
explorersuite.vm|0.0.0.20250219
extreme_dumper.vm|4.0.0.20250219
ezviewer.vm|2.0.0.20250219
fakenet-ng.vm|3.3.0.20250220
file.vm|0.0.0.20250220
floss.vm|3.1.1.20250220
garbageman.vm|0.2.4.20250219
ghidra|11.2.1
ghidra.vm|11.2.1.20250219
git|2.48.1
git.install|2.48.1
googlechrome.vm|0.0.0.20250218
goresym.vm|3.0.1.20250219
graphviz|12.2.1
hashmyfiles.vm|0.0.0.20250219
hollowshunter.vm|0.4.0.20250219
hxd|2.5.0
hxd.vm|2.5.0.20250219
ida.plugin.comida.vm|0.0.0.20250213
ida.plugin.dereferencing.vm|0.0.0.20250213
ida.plugin.diaphora.vm|3.2.1.20250213
ida.plugin.flare.vm|0.0.0.20250213
ida.plugin.hrtng.vm|2.2.21.20250213
ida.plugin.ifl.vm|1.4.4.20250213
ida.plugin.xray.vm|0.0.0.20250213
idafree.vm|8.4.0.20250219
idr.vm|0.0.0.20250219
ifpstools.vm|2.0.2.20250219
ilspy|9.0.0
ilspy.vm|9.0.0.20250219
innoextract.vm|1.9.0.20250219
innounp.vm|0.50.0.20250219
isd.vm|1.5.0.20250219
js-beautify.vm|1.15.1.20250219
js-deobfuscator.vm|0.0.0.20250219
KB2919355|1.0.20160915
KB2919442|1.0.20160915
KB2999226|1.0.20181019
KB3033929|1.0.5
KB3035131|1.0.3
KB3063858|1.0.0
libraries.python3.vm|0.0.0.20250218
map.vm|0.0.0.20250219
nasm|2.16.3
nasm.vm|2.16.3.20250219
netfx-4.8|4.8.0.20220524
net-reactor-slayer|6.4.0
net-reactor-slayer.vm|6.4.0.20250219
nodejs|20.7.0
nodejs.install|20.7.0
nodejs.vm|0.0.0.20250219
notepadplusplus|8.7.6
notepadplusplus.install|8.7.6
notepadplusplus.vm|8.7.6.20250220
notepadpp.plugin.compare.vm|2.0.2.20250218
notepadpp.plugin.jstool.vm|1.2312.0.20250218
notepadpp.plugin.xmltools.vm|3.1.1.20250218
npcap.vm|1.80.20250219
obfuscator-io-deobfuscator.vm|0.0.0.20250219
offvis.vm|1.0.0.20250219
onenoteanalyzer.vm|0.0.0.20250219
openjdk|21.0.1
openjdk.vm|0.0.0.20250218
pdbresym.vm|1.3.6.20250219
pdfstreamdumper.vm|0.9.634.20250219
pe_unmapper.vm|1.0.20250219
pebear|0.7.0
pebear.vm|0.7.0.20250219
peid.vm|0.95.0.20250219
pesieve|0.4.0.1
pesieve.vm|0.4.0.20250219
pestudio.vm|9.60.20250219
pkg-unpacker.vm|1.0.0.20250219
pma-labs.vm|0.0.0.20250219
procdot.vm|1.22.57.20250219
processdump.vm|2.1.1.20250219
pycdas.vm|0.0.0.20250219
pycdc.vm|0.0.0.20250219
python3|3.10.11
python3.vm|0.0.0.20250218
python310|3.10.11
recaf.vm|2.21.14.20250219
reg_export.vm|1.3.0.20250219
regcool.vm|2.22.20250220
regshot.vm|1.9.1.20250219
rundotnetdll.vm|2.2.0.20250219
scdbg.vm|0.0.0.20250219
sclauncher.vm|0.0.6.20250219
sclauncher64.vm|0.0.6.20250219
setdefaultbrowser|1.5.0
sfextract.vm|2.1.0.20250219
shellcode_launcher.vm|0.0.0.20250219
sysinternals.vm|0.0.0.20250219
systeminformer.vm|3.2.25036.20250219
uniextract2.vm|2.0.0.20250219
upx.vm|4.2.4.20250219
vbdec.vm|1.0.917.20250219
vb-decompiler-lite.vm|12.5.20250219
vcbuildtools.vm|0.0.0.20250228
vcredist140|14.42.34438.20250221
vcredist140.vm|0.0.0.20250220
vcredist2010|10.0.40219.32503
vcredist2015|14.0.24215.20170201
vcredist2017|14.16.27052
visualstudio2017buildtools|15.9.58
visualstudio2017-workload-vctools|1.3.3
visualstudio-installer|2.0.3
windump.vm|0.3.20250219

Common Environment Variables

VM_COMMON_DIR: C:\ProgramData_VM
TOOL_LIST_DIR: C:\Users\PC\Desktop\Tools
RAW_TOOLS_DIR: C:\Tools

[thec0nci3rge]

Hi, want to back this up too. Fresh Windows 11 Pro installation set the value to 4, therefore no internet connection, setting this the value back to "2" did the trick. Thanks @buu-huu

[Ana06]

@emtuls has confirmed that the registry change in #630 to force DNS requests to always come from the requesting process breaks internet in Windows 11. Does anyone knows of a different way to force DNS requests to always come from the requesting process that does not break internet in Windows 11?

If not, we have two options:

1. Remove the registry change completely.
2. Move the registry change to the debloat package, only for Windows 10 (we have two different configs for Windows 10 and 11) if @mandiant/commando-vm is ok with it.

@emtuls prefers option 1. in case the registry modification breaks something else. I tend to option 2, as I like to see the process of the request in fakenet, although it does not always works well (as reported in mandiant/flare-fakenet-ng#205).

@mandiant/flare-vm opinions?