Jonathan Lalou's Blog

Posts Tagged ‘Network’

If you’ve manually set a specific DNS server (like 10.0.0.1 or 8.8.8.8) only to find it automatically revert to 127.0.2.2 and 127.0.2.3 after a reboot or network event, your system is not broken—it’s being actively managed by a third-party application.

This behavior is a very strong indicator that specialized security, VPN, or filtering software is running on your system, forcing all DNS queries through a local proxy for protection or routing purposes.

🔍 What Does 127.0.2.2 and 127.0.2.3 Actually Mean?

These addresses are intentionally set by a specific type of software and are not standard addresses distributed by your router.

• Loopback Addresses: The entire 127.0.0.0/8 range (from 127.0.0.1 up to 127.255.255.255) is reserved for loopback or localhost. Any traffic sent to these addresses never leaves your computer; it simply “loops back” to a service running on the same machine.
• Local DNS Proxy: The applications that cause this create a specialized local DNS server (a proxy) that listens on these specific addresses on your Windows machine.
• Forced Interception: By setting your network adapter’s DNS to these loopback IPs, the software ensures that every single DNS request is first intercepted and processed by its local proxy before being securely forwarded over a tunnel (like a VPN) or filtered.
• Reversion is Intentional: When you manually change the DNS, the controlling program detects the change and automatically reverts the settings to the 127.0.2.2 addresses to maintain control over your DNS traffic.

🚨 Common Culprits for this DNS Reversion

While any DNS-altering security application can cause this, the 127.0.2.2 and 127.0.2.3 addresses are particularly associated with the following categories of software:

• Cloudflare WARP (or WARP+): This is the most common culprit. WARP uses these exact addresses to route your traffic through its secure DNS tunnel.
• Web Filtering or Parental Control Software: Apps like CovenantEyes or corporate/school security clients often use a local DNS proxy to enforce content filtering or policy rules.
• Advanced Antivirus/Security Suites: Some high-end security tools can install DNS-level protection to block malicious domains.
• VPN Clients: Certain VPN clients may use a similar local DNS strategy to prevent DNS leaks.

🛠 How to Fix and Prevent the DNS Change

To successfully set your DNS to your desired address (like 10.0.0.1), you must first disable or completely remove the application that is actively controlling your DNS.

Solution 1: Identify and Disable the Application (The Primary Fix)

The quickest solution is to look for, pause, or quit the known conflicting software.

1. Check the System Tray: Look for icons related to Cloudflare WARP, VPN clients, or parental control apps. Disconnect or Exit the program entirely.
2. Use netstat to Find the Listener (Advanced):
   1. Open PowerShell or Command Prompt as an Administrator.
   2. Run the command: netstat -a -b
   3. Review the output (which may take a moment) and look for a process name associated with UDP port 53 (the standard DNS port). The executable name will tell you exactly what service is running the local DNS proxy.

Solution 2: Perform a Clean Boot

If you can’t easily identify the program, performing a Clean Boot can help isolate it:

1. Press Windows Key + R, type msconfig, and press Enter.
2. Go to the Services tab, check the box for Hide all Microsoft services, and then click Disable all.
3. Go to the Startup tab, click Open Task Manager, and then Disable all non-Microsoft programs.
4. Restart your PC.
5. If the DNS settings no longer revert, you have confirmed that one of the disabled programs was the culprit. Re-enable them one by one (restarting after each) until the issue reappears to pinpoint the specific program.

Once the controlling application is disabled or uninstalled, you should be able to set and save your network adapter’s DNS address without it being automatically reverted.