Re: DNS/port filter prob on Win2k webserver
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 06/21/04
- Next message: Scott Harding - MS MVP: "Re: Need a new reverse lookup zone"
- Previous message: Sneakie: "dns on win2000 on NT4 domain"
- In reply to: JBowler: "DNS/port filter prob on Win2k webserver"
- Next in thread: Kevin D. Goodknecht Sr. [MVP]: "Re: DNS/port filter prob on Win2k webserver"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 21 Jun 2004 17:36:11 GMT
That is the nature of IP filtering for udp - it does not keep track of the state of
the connection and realize that inbound traffic to the above 1024 unprivileged port
to your computer from port 53 from the external dns server is a response packet and
is therefore blocked. Ipsec filtering can be used to manage udp traffic in your
situation. Create a ipsec policy with a default "block all" mirrored rule for udp
traffic and then add the exception for dns udp as in a rule that would be mirrored
and allow all traffic to port 53, from any port, from "my computer" to any computer
[or particular dns servers] The link below is an example of how to use ipsec
filtering. A nice thing about ipsec policies is they take effect almost immediately
after being assigned or unassigned and do not require a reboot. --- Steve
http://www.securityfocus.com/infocus/1559
"JBowler" <none@none.none> wrote in message
news:e0DIGG3VEHA.2196@TK2MSFTNGP10.phx.gbl...
> We have Win2k server hosting many websites. We are having a problem when
> trying to ping/dnslookup and resolve any domains from the server. We have
> found the problem to be the IP/UDP filtering on the network card. We have
> only ports 80, 21, and 53 open for traffic both TCP and UDP. DNS (port 53)
> should use the forwarder configured to the master BIND DNS server for domain
> resolution but it will not work. It keeps trying to resolve locally becasue
> it can not make a successful query to the master DNS server. We have even
> bound the IP address of the master DNS server to the network card so it will
> resolve naturally from there. After a lot of trial and error we have found
> that if we unfilter all UDP ports the DNS works correctly.
>
> Does anyone know why this is? Can anyone provide any idea as to how we may
> overcome this? I read a MS KB - 268674 and it was talking about DHCP and
> DNS working together. We cant put DHCP on a live webserver for obvious
> reasons but may use it on the second network card for 192.196.xxx as a dummy
> network. Anyone have any thoughts about a second UDP port that needs
> opening? The obvious answer is to have a firewall that blocks all traffic
> etc, etc. We do but with a server farm we also have IP security on each
> server. Any help is appreciated.
>
> JBowler
>
>
- Next message: Scott Harding - MS MVP: "Re: Need a new reverse lookup zone"
- Previous message: Sneakie: "dns on win2000 on NT4 domain"
- In reply to: JBowler: "DNS/port filter prob on Win2k webserver"
- Next in thread: Kevin D. Goodknecht Sr. [MVP]: "Re: DNS/port filter prob on Win2k webserver"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
