Re: LSASS.EXE Outbound on Port 53?

From: Herb Martin (news_at_LearnQuick.com)
Date: 03/07/05

• Next message: GeT CerTiFieD: "Anyone interested in getting Microsoft, CISCO or any other IT CertificationzzzZ...???"
• Previous message: Shems: "Re: Unexpected shutdowns!"
• In reply to: anonymous_at_discussions.microsoft.com: "Re: LSASS.EXE Outbound on Port 53?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sun, 6 Mar 2005 23:16:51 -0600

<anonymous@discussions.microsoft.com> wrote in message
news:4efb01c5227d$25d29020$a401280a@phx.gbl...
> So, if I understand correctly, there are two things I
> should do:
>
> 1.) LSASS.EXE has no legitimate purpose outside of our
> network.

Generally ture.

> A separate problem is suggested by this:
> External DNS servers should not be specified in the DC's
> network config. I will remove these.

Even more true that #1 -- internal DNS clients must
use STRICTLY internal DNS servers -- DCs and other
servers are DNS clients too.

> 2.) LSASS.EXE has legitimate need for port 53 and therefore
> should be permitted use. This is corroborated by Netlogon
> warnings, "Dynamic registration failed because no DNS
> servers are available."

It has a need to register by contacting the DNS server
on port 53 as a DESTINATION (if the same machine
is a DNS server, which is commn for DCs, then it will
also -- AS THE DNS SERVER -- need to allowing this
incoming as the destination.)

Even with the above, it is POSSIBLE that the client will
attempt to register it's REVERSE record with the (likely
non-existent) external zones for the locally administered
addresses you use -- this can mean that the internal DNS
servers will attempt to find the reverse of 192.168.x, 10.x,
or 172.16-32.x EVEN if the client is set to correctly
let them do the searching.

You stop the latter by creating the reverse zones, even if
you choose to leave them empty -- although there is little
reason not to just make them dynamic too and let the
machines register.

-- 
Herb Martin
>
> Sound good?
>
> Thank you, all!
>
> >-----Original Message-----
> >The Netlogon process regularly touches the DNS records of
> >the DC if dynamic updates are in use.  I thought that this ran
> >in the context of lsa.  If this is the origin, then the
> traffic will
> >be directed to the/a DNS server that is the/a primary for the
> >zone of that DC's DNS domain.   There are some checks that
> >can happen on trigger, such as running netdiag, that cause
> >all DNS servers listed to be examined to check for
> consistency.
> >Netlogon writes a file, netlogon.dns, which contains the
> current
> >list of records it believe it needs to make sure exist, and no
> >others, for that DC.
> >If it is the update process checking, then you will see
> this on
> >a regular schedule, IIRC at on hour for a DC if the
> records are
> >as they should be, sooner if it is frantic about being
> unable to
> >make them as they should be.
> >
> >-- 
> >Roger Abell
> >Microsoft MVP (Windows  Security)
> >MCSE (W2k3,W2k,Nt4)  MCDBA
> ><anonymous@discussions.microsoft.com> wrote in message
> >news:450201c52117$1870b090$a601280a@phx.gbl...
> >> Does LSASS.EXE have a legitimate reason to communicate on
> >> port 53 (DNS)?  Outside of my network?!
> >>
> >> I am auditing port 53 on my domain controller and was
> >> surprised to see outbound traffic from LSASS.EXE.  The
> >> destinations include all of the DNS servers specified in
> >> the server's TCP/IP settings.  [One of those is the
> >> server's own IP.  The other two are fail-over DNS servers
> >> located outside of our network.]  What is LSASS.EXE looking
> >> for?  And why is it using port 53?  [I mean, it isn't
> >> actually performing DNS lookups, is it?]
> >>
> >> Any advice is greatly appreciated.
> >
> >
> >.
> >

---

• Next message: GeT CerTiFieD: "Anyone interested in getting Microsoft, CISCO or any other IT CertificationzzzZ...???"
• Previous message: Shems: "Re: Unexpected shutdowns!"
• In reply to: anonymous_at_discussions.microsoft.com: "Re: LSASS.EXE Outbound on Port 53?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Running my own nameserver ... > not know where I specify the IP address for these name servers. ... Where are you trying to register? ... GoDaddy and Register.com both offer DNS servers for you ... > forward lookup zone for the new domain and by default it has a SOA and NS ... (microsoft.public.windows.server.dns) Re: Running my own nameserver ... to register the nameserver its self somewhere but I cant figure out where. ... forward lookup zone for the new domain and by default it has a SOA and NS ... >> Can anyone tell me what I have to do in order to run my own internet Name ... > by placing these name (DNS servers) in the parent ... (microsoft.public.windows.server.dns) Re: DNS Server going to IANA for resolution ... > a local domain and is not registered in any way. ... One of the DNS servers is consistently ... to register A and PTR records in the Authoritative DNS servers. ... (microsoft.public.win2000.dns) RE: DNS questions ... I don't see any clients registering. ... I have DNS servers specified in ... What else would cause this to not register? ... >> If I have a domain running DNS and computer is not connected to the domain, ... (microsoft.public.win2000.dns) Re: Primary + Secondary DNS ... DNS server using the primary for its zone records. ... NO external DNS Servers ... At this point would I need to change the host file on every zone record ... DNS clients can have multiple DNS servers listed on the NIC->IP ... (microsoft.public.windows.server.dns)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)