Re: DNS & using the TCP/IP FIlter

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 06/23/04

  • Next message: Harvey McReynolds: "Re: Sufficient Security Privileges"
    Date: Wed, 23 Jun 2004 02:11:26 GMT
    
    

    The problem is dns to the internet dns servers uses udp port 53 "outbound" NOT
    inbound. Unfortunately udp IP filtering can not keep track of the state of a
    connection like tcp can. As a result the return traffic to your outbound dns request
    will be a randomly assigned above 1024 unprivileged port which is blocked by your udp
    IP filtering. You could try entering the first fifty ports above 1024 for udp and
    maybe you will get lucky. I suggest you use ipsec filtering [using block and permit
    filter actions] instead and configure a policy with first a mirrored block all IP
    traffic for udp and then add a mirrored permit rule for dns such as, from any port,
    from by IP address, to port 53, to any IP address [or ISP dns servers if not using
    root hints]. The link below explains ipsec policies and filtering more. Ipsec
    policies do not require rebooting and take effect almost immediately after being
    assigned or unassigned. --- Steve

    http://www.securityfocus.com/infocus/1559
    http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

    "Glenn" <type2surf-NO-SPAM@hotmail.com> wrote in message
    news:1fd9401c458b5$9e3ae040$a301280a@phx.gbl...
    > I have searched the news group for problems similar to
    > mine and found someone with virtually the same issus i
    > need help with. This person seems to describe it well. it
    > was originally posted on jun 3 2004....
    >
    > "We have a windows 2000 server running IIS for public
    > access with 10 public IPs. The router is broken. We would
    > like to enable IP filtering to open the port 80 for the
    > web, 25 and 110 for the mail, and TCP and UDP 53 for the
    > DNS (we have only one NIC with all public IPs and use our
    > ISP DNS) before replacing the router. Every thing looks
    > good except DNS. We can ping any public Ip but can't ping
    > the web name llike yahoo.com. Nsllokup gets the time out
    > too. which ports do we need to open except tcp and udp 53?
    > Or do we miss some things?"
    >
    > Can some one please explain this. What it might be.
    > ANother symptom is that if I turn off the IP filtering
    > (leave it wide open) everything works great. Please help
    > as i really dont like to leave this server in this
    > insecure way.
    > Thanks for your help,
    >
    > Glenn
    >
    >


  • Next message: Harvey McReynolds: "Re: Sufficient Security Privileges"

    Relevant Pages

    • Re: TCP/IP Packet Filtering
      ... First off note that UDP is connectionless. ... What you will notice is that even though a positive response came back, ... > destination port of 53 and the response of the dns server from port 53 back ... Keep in mind that W2K dns client caches ...
      (microsoft.public.win2000.security)
    • Re: DNS lookup not working
      ... That is exactly why it is not working because you have filtering enabled on ... UDP and it is blocking return traffic to your computer from your ISP DNS ... The only time you would want to enable UDP filtering for port 53 ... would be if you were running a DNS server. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: TCP/IP Packet Filtering
      ... First when you are using dns to resolve and internet name you are using port 53 udp ... IP udp filtering is useless for using dns as you need to ...
      (microsoft.public.win2000.security)
    • Re: TCP/IP Packet Filtering
      ... Joe Richards Microsoft MVP Windows Server Directory Services ... IP udp filtering is useless for using dns as you need to ... I suggest that you leave just port 80 in your list for tcp and then ...
      (microsoft.public.win2000.security)
    • Re: DNS/port filter prob on Win2k webserver
      ... the connection and realize that inbound traffic to the above 1024 unprivileged port ... Ipsec filtering can be used to manage udp traffic in your ... > should use the forwarder configured to the master BIND DNS server for domain ...
      (microsoft.public.win2000.general)