Re: Issue with port blocking on public DNS server

Tech-Archive recommends: Fix windows errors by optimizing your registry

WimVM wrote:
Hello,

I have two public DNS servers running Windows 2003 Web Edition SP1.
They are used as DNS server for hosting public domain names. On the
same servers I have a mailserver running (MailEnable). I also do port
filtering on the public network card (advanced options of the NIC).

I have these ports open:
-TCP: 25/53/110
-UDP: 53
-IP: 6/8/17

Everything works fine, except that I can not resolve external domain
names (other then the domain names in my own DNS server) on the
servers. This is ofcourse a requirement for the mail server...

When I scan the ports used by DNS I note that it is not only using
ports TCP53 and UDP53 but also DYNAMIC assign ports: 2 UDP and 1 TCP.
They mostly are something like 1028 (TCP) and 1025/1026/1027(UDP).
The problem is ofcourse that I can not block the ports in this way.
As soon as the ports are changed (after reboot?), name resolution
will fail.

How can I solve this? How can I still use port filtering and resolve
domain names without any problems.

Packet filtering on the interface, does not work as expected if you make
outbound connections from the machine. The interface packet filtering blocks
ports outbound as well as inbound. If this server is only used for DNS and
no outbound connections, including web browsing are done from this machine
you can force DNS to use a send on port 53.

813965 - Description of DNS registry entries in Windows 2000 Server, part 3
of 3: http://support.microsoft.com/default.aspx?kbid=813965

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


.

Relevant Pages

  • Re: The revised DNS.EXE that was released in response to MS08-037
    ... are these ports being reserved for client UDP requests made by the ... DNS Server outbound to other DNS servers? ... By reserving the port, or creating this socket pool, it ...
    (microsoft.public.windows.server.dns)
  • Re: one-way trust not working
    ... the two forests? ... Run the query for AD it will check to see if the neccessary ports are open. ... In the trusted domain, branch.local, I set up the DNS server to use as ... and I provided a username and password with administrative priveledges ...
    (microsoft.public.windows.server.active_directory)
  • Re: No DNS resolution with ICS
    ... >something that has a DNS server in it then you don't have ... >you have to open too many ports to get functionality. ... >firewall or get a good router that has a firewall. ... No packet filtering installed, as far as I am aware. ...
    (microsoft.public.win2000.dns)
  • Re: The revised DNS.EXE that was released in response to MS08-037
    ... DNS Server outbound to other DNS servers? ... need a pool of server ports reserved for that purpose. ... services and request types is DNS Server running on ephemeral ports? ...
    (microsoft.public.windows.server.dns)
  • Re: Issue with port blocking on public DNS server
    ... I have two public DNS servers running Windows 2003 Web Edition SP1. ... are used as DNS server for hosting public domain names. ... Filtering outbound requests on port 53 FROM the DNS to the Internet ... is ofcourse that I can not block the ports in this way. ...
    (microsoft.public.windows.server.dns)