Re: DNS & using the TCP/IP FIlter

From: Steven L Umbach (
Date: 06/23/04

  • Next message: Harvey McReynolds: "Re: Sufficient Security Privileges"
    Date: Wed, 23 Jun 2004 02:11:26 GMT

    The problem is dns to the internet dns servers uses udp port 53 "outbound" NOT
    inbound. Unfortunately udp IP filtering can not keep track of the state of a
    connection like tcp can. As a result the return traffic to your outbound dns request
    will be a randomly assigned above 1024 unprivileged port which is blocked by your udp
    IP filtering. You could try entering the first fifty ports above 1024 for udp and
    maybe you will get lucky. I suggest you use ipsec filtering [using block and permit
    filter actions] instead and configure a policy with first a mirrored block all IP
    traffic for udp and then add a mirrored permit rule for dns such as, from any port,
    from by IP address, to port 53, to any IP address [or ISP dns servers if not using
    root hints]. The link below explains ipsec policies and filtering more. Ipsec
    policies do not require rebooting and take effect almost immediately after being
    assigned or unassigned. --- Steve

    "Glenn" <> wrote in message
    > I have searched the news group for problems similar to
    > mine and found someone with virtually the same issus i
    > need help with. This person seems to describe it well. it
    > was originally posted on jun 3 2004....
    > "We have a windows 2000 server running IIS for public
    > access with 10 public IPs. The router is broken. We would
    > like to enable IP filtering to open the port 80 for the
    > web, 25 and 110 for the mail, and TCP and UDP 53 for the
    > DNS (we have only one NIC with all public IPs and use our
    > ISP DNS) before replacing the router. Every thing looks
    > good except DNS. We can ping any public Ip but can't ping
    > the web name llike Nsllokup gets the time out
    > too. which ports do we need to open except tcp and udp 53?
    > Or do we miss some things?"
    > Can some one please explain this. What it might be.
    > ANother symptom is that if I turn off the IP filtering
    > (leave it wide open) everything works great. Please help
    > as i really dont like to leave this server in this
    > insecure way.
    > Thanks for your help,
    > Glenn

  • Next message: Harvey McReynolds: "Re: Sufficient Security Privileges"