Re: DNS & using the TCP/IP FIlter

• Previous message: Lanwench [MVP - Exchange]: "Re: DNS & using the TCP/IP FIlter"
• In reply to: Glenn: "DNS & using the TCP/IP FIlter"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 23 Jun 2004 02:11:26 GMT

The problem is dns to the internet dns servers uses udp port 53 "outbound" NOT
inbound. Unfortunately udp IP filtering can not keep track of the state of a
connection like tcp can. As a result the return traffic to your outbound dns request
will be a randomly assigned above 1024 unprivileged port which is blocked by your udp
IP filtering. You could try entering the first fifty ports above 1024 for udp and
maybe you will get lucky. I suggest you use ipsec filtering [using block and permit
filter actions] instead and configure a policy with first a mirrored block all IP
traffic for udp and then add a mirrored permit rule for dns such as, from any port,
from by IP address, to port 53, to any IP address [or ISP dns servers if not using
root hints]. The link below explains ipsec policies and filtering more. Ipsec
policies do not require rebooting and take effect almost immediately after being
assigned or unassigned. --- Steve

http://www.securityfocus.com/infocus/1559
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

"Glenn" <type2surf-NO-SPAM@hotmail.com> wrote in message
news:1fd9401c458b5$9e3ae040$a301280a@phx.gbl...
> I have searched the news group for problems similar to
> mine and found someone with virtually the same issus i
> need help with. This person seems to describe it well. it
> was originally posted on jun 3 2004....
>
> "We have a windows 2000 server running IIS for public
> access with 10 public IPs. The router is broken. We would
> like to enable IP filtering to open the port 80 for the
> web, 25 and 110 for the mail, and TCP and UDP 53 for the
> DNS (we have only one NIC with all public IPs and use our
> ISP DNS) before replacing the router. Every thing looks
> good except DNS. We can ping any public Ip but can't ping
> the web name llike yahoo.com. Nsllokup gets the time out
> too. which ports do we need to open except tcp and udp 53?
> Or do we miss some things?"
>
> Can some one please explain this. What it might be.
> ANother symptom is that if I turn off the IP filtering
> (leave it wide open) everything works great. Please help
> as i really dont like to leave this server in this
> insecure way.
> Thanks for your help,
>
> Glenn
>
>

• Previous message: Lanwench [MVP - Exchange]: "Re: DNS & using the TCP/IP FIlter"
• In reply to: Glenn: "DNS & using the TCP/IP FIlter"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]