Re: IPsecpol and DNS lookup question
From: Jane Tunnicliff (jtunn@uwpn.org)
Date: 12/18/02
- Next message: bodhi: "What is happening to my email??"
- Previous message: bodhi: "Home Network with laptop Security challenge"
- In reply to: Karl Levinson [x y] mvp: "Re: IPsecpol and DNS lookup question"
- Next in thread: x y: "Re: IPsecpol and DNS lookup question"
- Reply: x y: "Re: IPsecpol and DNS lookup question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Jane Tunnicliff" <jtunn@uwpn.org> Date: Wed, 18 Dec 2002 08:46:20 -0800
Thanks for the replies...
To clarify - I already have an IPSec filter that allows traffic to and from
our DNS servers. DNS resolution is working fine.
I am attempting to add another filter (to a Network Time Protocol server).
The filter works if I set the destination address to an IP address (one of
several NTP server addresses). The filter fails if I set the destination
address to a DNS name. I can see in the GUI, that there is a place to add
a destination DNS name, but I can't figure out how to access that with the
command line tool.
The following line works fine
ipsecpol -x -w REG -p "IISFilters" -r "NtpOK" -n PASS -f
0+140.142.33.3:123:UDP
I would prefer to have the NTP lookup go to the DNS name (which is a farm of
NTP servers) instead of directing the filter to a single NTP server IP
address.
I can't get this filter to work-
ipsecpol -x -w REG -p "IISFilters" -r "NtpOK" -n PASS -f
0+time.u.washington.edu:123:UDP
I have read all of the syntax in the IPSec .html help document. It seems to
indicate that in static mode a DNS name will resolve to multipe addresses.
I am not sure if I have a syntax error, or if this feature just doesn't
work.
Thanks for any advice.
"Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
news:u0JroHqpCHA.2772@TK2MSFTNGP09...
> ... by allowing traffic to UDP and TCP ports 53 on the DNS server, in case
> you needed to know.
>
>
> "Steve Riley (MSFT)" <steriley@microsoft.com> wrote in message
> news:eh9gM3lpCHA.1612@TK2MSFTNGP09...
> > I presume you mean DNS *name* when you say "DNS address."To
> >
> > Remember that the computer will have to perform a DNS lookup if you use
> DNS
> > names in IPSec filter lists. Make sure that your policy is allowing
access
> > to your DNS servers so that name resolution can occur.
> >
> > --
> > --------------------------------
> > Steve Riley
> > MCS Security Consulting Practice
> > steriley@microsoft.com
> > --------------------------------
> >
> >
> > "Jane Tunnicliff" <jtunn@uwpn.org> wrote in message
> > news:e06gzCgpCHA.2444@TK2MSFTNGP10...
> > > I have been using the Win 2 K command line IPSec tool, IPsecpol.exe.
I
> > > have a filter that is configured to allow traffic to and from a
> particular
> > > DNS address. I can ping the DNS address successfully (it is a group
of
> > > multiple time servers). If I set the filter to allow traffic to and
> from
> > > the DNS address it fails.
> > > If I set the filter to allow traffic to and from a specific IP address
> > > (within that DNS group), then the filter works just fine.
> > >
> > > We are not running Active Directory DNS within our domain. Does
anyone
> > know
> > > if IPSecpol filters, in static mode, can be configured to use a DNS
> > address
> > > instead of an IP address?
> > >
> > > Thanks for any information.
> > >
> > >
> >
> >
>
>
- Next message: bodhi: "What is happening to my email??"
- Previous message: bodhi: "Home Network with laptop Security challenge"
- In reply to: Karl Levinson [x y] mvp: "Re: IPsecpol and DNS lookup question"
- Next in thread: x y: "Re: IPsecpol and DNS lookup question"
- Reply: x y: "Re: IPsecpol and DNS lookup question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
