TCP/IP Filtering problem on W2KAS

From: Turner, Keith (TurnerL@tea-emh1.army.mil)
Date: 02/04/02

• Previous message: Jens Mickerts: "Re: Question regarding attack"
• Next in thread: John Morello: "RE: TCP/IP Filtering problem on W2KAS"
• Reply: John Morello: "RE: TCP/IP Filtering problem on W2KAS"
• Reply: Skinner, Kit: "RE: TCP/IP Filtering problem on W2KAS"
• Reply: David Ellis: "RE: TCP/IP Filtering problem on W2KAS"
• Reply: garberoa@WellsFargo.COM: "RE: TCP/IP Filtering problem on W2KAS"
• Reply: Bronek Kozicki: "Re: TCP/IP Filtering problem on"
• Reply: Skinner, Kit: "RE: TCP/IP Filtering problem on W2KAS"
• Reply: garberoa@WellsFargo.COM: "RE: TCP/IP Filtering problem on W2KAS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Turner, Keith" <TurnerL@tea-emh1.army.mil>
To: focus-ms@securityfocus.com
Date: Mon, 4 Feb 2002 08:14:39 -0500 

  I've enabled TCP/IP filtering on a W2KAS IIS server. As a result, the
server can no longer use DNS (as a client). According to MSKB Q309798,
"TCP/IP Filtering can filter only inbound traffic. This feature does not
affect outbound traffic or response ports that are created to accept
responses from outbound requests." So, in theory, I should not have to add
*any* ports to the "allowed" list for the IIS server to be able to start a
conversation with a dns server and receive an answer. I started a capture
with network monitor, opened nslookup and fired off a few dns queries. The
query is making it to the dns server, which is responding with an answer.
Network Monitor sees this answer, but nslookup never gets it.
 Does anyone have any suggestions on how to get dns queries working with
TCP/IP filtering? If I remember correctly, this worked fine in NT4.

Thanks,
Keith

---

• Previous message: Jens Mickerts: "Re: Question regarding attack"
• Next in thread: John Morello: "RE: TCP/IP Filtering problem on W2KAS"
• Reply: John Morello: "RE: TCP/IP Filtering problem on W2KAS"
• Reply: Skinner, Kit: "RE: TCP/IP Filtering problem on W2KAS"
• Reply: David Ellis: "RE: TCP/IP Filtering problem on W2KAS"
• Reply: garberoa@WellsFargo.COM: "RE: TCP/IP Filtering problem on W2KAS"
• Reply: Bronek Kozicki: "Re: TCP/IP Filtering problem on"
• Reply: Skinner, Kit: "RE: TCP/IP Filtering problem on W2KAS"
• Reply: garberoa@WellsFargo.COM: "RE: TCP/IP Filtering problem on W2KAS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: TCP/IP Filtering problem on W2KAS ... The problem is that if you are listing ports that are 'allowed' and you ... don't list every dynamic port used by a client to access the DNS ... "Using IPSec to Lock Down a Server": ... I find using the IPSec filters MUCH more useful then the TCP/IP Filtering. ... (Focus-Microsoft) Re: TCP/IP Filtering problem on ... > I've enabled TCP/IP filtering on a W2KAS IIS server. ... There's no "connection" in DNS query/response cycle, ... ago with WinNT 4.0 Wrkst and free Bind version for WinNT, ... (Focus-Microsoft) Re: How to configure forwarding in W2K. ... MS IIS server you need to reach? ... the communication of a W2K3 server running MIIS with the other forest ... W2K3 DNS on it and only set it to use itself for DNS resolution. ... (microsoft.public.windows.server.dns) Re: Intranet Name Resolution ... In fact I have to create a HOST record for "intranet" on DNS inside the ... in order to reach my IIS server. ... (microsoft.public.windows.server.dns) Re: Configuring DNS in DMZ zone ... If the IIS server requires authentication to the domain it will have to ... DNS is preferable in case the IP of the internal server ... (microsoft.public.win2000.dns)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)