RE: What UDP port to open to enable w2k server to surf the web us ing domain names
From: Matthew.van.Eerde@hbinc.comDate: 03/14/02
- Previous message: John R Ellingsworth: "Re: What UDP port to open to enable w2k server to surf the web using domain names"
- Maybe in reply to: Turner, Keith: "RE: What UDP port to open to enable w2k server to surf the web us ing domain names"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Matthew.van.Eerde@hbinc.com To: TurnerL@tea-emh1.army.mil, joseph_tan01@pacific.net.sg, alex@towerrecords.com, KWilliams@sark.com, pnolan01@nycap.rr.com, focus-ms@securityfocus.com Date: Thu, 14 Mar 2002 11:40:37 -0800
If a DNS client asks a DNS server a question, the setup is this:
client:high -> server:53
The response is then
server:53 -> client:high
This doesn't work with IP filtering (you can't filter on the source port)
and you wouldn't want to anyway as there are any number of ways for a hacker
to set a source port.
A proposed solution: Install DNS Services on the machine. Don't host any
zones, just have it be caching-only. Set the IP properties to use 127.0.0.1
as the DNS server. The setup will then be:
127.0.0.1:high -> 127.0.0.1:53 (initial question to the DNS service)
webserver:53 -> rootserver:53 (DNS service looks it up)
rootserver:53 -> webserver:53 (Answer comes back in)
127.0.0.1:53 -> 127.0.0.1:high (Answer is relayed to process that needed it)
This should work through IP filtering as 127.0.0.1 is not filtered. (is it?)
> -----Original Message-----
> From: Turner, Keith [mailto:TurnerL@tea-emh1.army.mil]
> Sent: Thursday, March 14, 2002 08:26
> To: 'Joseph Tan'; Zimin, Alex; 'Williams, Kevin'; 'Patrick Nolan';
> focus-ms@securityfocus.com
> Subject: RE: What UDP port to open to enable w2k server to
> surf the web
> us ing domain names
>
>
>
> UDP does not work well with TCP/IP filtering. I've ran into
> the same thing
> you have - my solution was to setup a hosts file for the few
> domain names I
> needed to resolve. UDP is connectionless, so Win2k does not
> recognize that
> the answer from the DNS server, on a random high numbered
> port, is an answer
> from the request you sent out a split second ago.
>
> Keith
>
>
> -----Original Message-----
> From: Joseph Tan [mailto:joseph_tan01@pacific.net.sg]
> Sent: Thursday, March 14, 2002 11:07 AM
> To: Zimin, Alex; 'Williams, Kevin'; 'Patrick Nolan';
> focus-ms@securityfocus.com
> Subject: What UDP port to open to enable w2k server to surf the web
> using domain names
>
>
> hi all
>
> I have a question and hope that something can advise me.
>
> I have a w2k web server and have TCP/IP filtering enabled.
> When I permit
> only TCP 80, 443 and UDP 53 to pass through,
> my web server cannot access the web using domain name. Ping
> IP address is
> sucessful whereas ping domain names failed.
>
> But when I permit UDP all, I can surf the web using domain
> names withou any
> problem. So the question is which UDP port do I need to open
> to enable my
> w2k web server to access the web? I thought UDP 53 should be
> good enough.
>
> regards
>
> Joseph
>
- Previous message: John R Ellingsworth: "Re: What UDP port to open to enable w2k server to surf the web using domain names"
- Maybe in reply to: Turner, Keith: "RE: What UDP port to open to enable w2k server to surf the web us ing domain names"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
