Re: TCP/IP Packet Filtering

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 07/06/04 

Date: Tue, 06 Jul 2004 09:25:59 -0400

First off note that UDP is connectionless. It is all fire and forget. No stream
as it were for the firewall to maintain state on.

Second... You would think everything was fine by looking at that part of the
trace unless you realized that the filter was making it so the OS didn't respond
to the 3513 inbound...

What you will notice is that even though a positive response came back, the
machine would ask a couple of more times for that address to be resolved and
depending on your configuration would start to broadcast or ask WINS for help.

Basically it would look like it was ignoring the IP address that the name was
being resolved to and that is EXACTLY what is happening.

   joe 

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Steven L Umbach wrote:
> Hi Jim.
> 
> FYI. I have pasted a capture from Ethereal so you can see the sequence that
> caused you grief. I modified the output screen to show unresolved source and
> destination ports . I am not sure how good it will look in a paste but here
> goes. This is an example on a capture just before I opened my web browser
> which has a home page of Foxnews.com and my internal lan IP address is
> 192.168.1.105. Notice my computer using a source port of 3513 to a
> destination port of 53 and the response of the dns server from port 53 back
> to port 3513. It would be the port 3513 udp in this example that would be
> blocked by the udp port filtering. Keep in mind that W2K dns client caches
> recent dns queries including failures. So if you do any testing in the
> future, always use the command " ipconfig /flushdns" to clear the dns client
> cache first.  --- Steve
> 
> 
> Source                Destination           Protocol    Src port      Dst
> port            Info
> 192.168.1.105         202.12.27.33          DNS      3513     53
> Standard query A www.foxnews.com
> 
> 202.12.27.33          192.168.1.105         DNS      53       3513
> Standard query response
> 
> "Jim Bohan" <Thread7@hotmail.com> wrote in message
> news:49c7cba4.0407042158.181c5059@posting.google.com...
> 
>>Joe,
>>
>>Well he gave me the fish, but I did learn.  I could find no
>>documentation telling me Steve's statement - "IP udp filtering is
>>useless for using dns as you need to configure the policy to allow the
>>above 1024 ports for return traffic from the external dns server to
>>your computer which is not practical."  After hours trying to figure
>>out why the UDP traffic wasn't coming through I was at a dead end and
>>finally had to ask some "experts" such as yourselves.  Great response
>>guys.
>>
>>Thread7
> 
> 
>

Relevant Pages

  • Re: DNS & using the TCP/IP FIlter
    ... The problem is dns to the internet dns servers uses udp port 53 "outbound" NOT ... Unfortunately udp IP filtering can not keep track of the state of a ...
    (microsoft.public.win2000.security)
  • RE: DNS ACL ?
    ... > Not all DNS clients automatically try to negotiate bigger UDP ... The same goes for DNS servers. ... as a part of the response, but could not be included in its entirety. ...
    (Pen-Test)
  • Re: Best Plan of action for 2 forest.......
    ... Yep both domains DNS server have got secondary zones for each other and i ... UDP port 138: ... ..LISTENING This response indicates that a process is listening on the ... ..FILTERED This response indicates that the target port is being ...
    (microsoft.public.windows.server.active_directory)
  • Re: port 53, please help!
    ... > firewall log that UDP is allowed both ways. ... > port 53 as blocked. ... Smart DNS is a feature that blocks all DNS traffic, ...
    (comp.security.firewalls)
  • Re: TCP/IP Packet Filtering
    ... First when you are using dns to resolve and internet name you are using port 53 udp ... IP udp filtering is useless for using dns as you need to ...
    (microsoft.public.win2000.security)