Ports other than 53 required for proper DNS operation????
Frank Ricciardi
server 2003
DNS (no AD integration)
hosting DNS for multiple domains
when we configure TCP filtering to allow only port 53 (TCP/UDP) for security
of the server, DNS ceases to function
Will not answer queries, will not refresh hints from the root servers, no
errors in logs.
Once we open TCP/IP up w/o filters all is well.
Very strange
Ace Fekay [MVP]
Frank Ricciardi <FrankRi...@discussions.microsoft.com> typed:
Your also need UDP 53.
Question, do also have a firewall? If so, for Windows 2003 and newer, the
firewall needs to support EDNS0.If you do, what type of firewall do you
have?
--
Regards,
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations
Frank Ricciardi
port 53 isopened for TCP and UDP.
no hardware firewall which is why i want to close all unnecessary ports.
Windows firewall turned off
Still not working
Ace Fekay [MVP]
Frank Ricciardi <FrankRi...@discussions.microsoft.com> typed:
> Thanks for your post
>
> port 53 isopened for TCP and UDP.
>
> no hardware firewall which is why i want to close all unnecessary
> ports.
>
> Windows firewall turned off
>
> Still not working
Is this an internal machine for internal use or for outside ONLY use?
Hosting your external public record on this box, if that is it's sole
intention, you only need the above two ports. However if internal Windows to
Windows communication, then it is a whole different ballpark. You also need
a host of other ports for communication, especially AD domain communication,
such as RPC, Ldap, Kerberos, etc. Keep in mind, an internal Windows client
will initiate a query on a port using UDP >1023, although the response will
be on UDP 53.
http://library.mobrien.com/Manuals/MPRM_Group/dns_notes.html
http://linuxgazette.net/issue50/tag/1.html
So it depends on what this server's over role is.
Ace
DevilsPGD
Ricciardi <FrankRi...@discussions.microsoft.com> wrote:
Also keep in mind that you need to allow traffic both TO *and* FROM port
53, both TCP *and* UDP being needed.
Frank Ricciardi
This machine is an external only server. No ties to windows domains or AD at
all. It is not a DC.
In fact it is physically located in a collocaiton center and serves email
web and dns for our clients.
Oddly, when i enable the TCP filtering i can't even get DNS to work while
logged directly into the server in question via RDP. All queies fail until i
open up all the ports again.
Ace Fekay [MVP]
Frank Ricciardi <FrankRi...@discussions.microsoft.com> typed:
> Thanks to both of you.
>
> This machine is an external only server. No ties to windows domains
> or AD at all. It is not a DC.
>
> In fact it is physically located in a collocaiton center and serves
> email web and dns for our clients.
>
> Oddly, when i enable the TCP filtering i can't even get DNS to work
> while logged directly into the server in question via RDP. All queies
> fail until i open up all the ports again.
That's because local communication requires RPC and other authenticating
ports as I mentioned. You may be better off creating an IPSec policy to
control traffic based on ports AND source/destination IPs.
Ace
Frank Ricciardi
DNS should be straight TCP/IP on port 53, correct?
Ace Fekay [MVP]
Frank Ricciardi <FrankRi...@discussions.microsoft.com> typed:
> not following you.
>
> DNS should be straight TCP/IP on port 53, correct?
UDP first, then TCP. With the orginal RFCs, it defines it as when the
response is greater than 512 bytes. like some zones that have a large amount
of data in the response packet, it reverts to TCP. With EDNS0, a new RFC
that came out that Windows 2003 adopted, UDP now goes upto 1280 bytes. This
was implemented to make the response more efficient and quicker with zones
that have large data.
BUT
With Windows communication within a network, or even on the local server,
there's more that goes on than a simple a Windows to Windows session, even
if it's DNS, RPC is used. RPC also requires authentication, which requires
certain ports. If in a domain, the ports requirements increase. Even on the
same machine, if the IP address in IP properties says to use itself, it will
use RPC. With Windows to Windows, an ephemeral port is used by the quering
client. What is an ephemeral? Simply a random port 1024 and above. Run a
sniffer and you can see the traffic.
Read the results in this search to see what I'm talking about:
http://www.google.com/search?hl=en&rls=GGLR,GGLR:2006-06,GGLR:en&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=ephemeral+port&spell=1
If across the Internet, UDP and TCP 53 alone will work, but not locally.
Period. Then EDNS0 comes into play. If a firewall does not allow DNS UDP
packet sizes beyond 512, then the response will not go across it.
If you want to test it locally, use nslookup, which is pure UDP, then TCP
depending on the size of the response packet. Pinging locally will revert to
the ephemeral ports, then authentication, etc.
I hope that helps.
Ace
Frank Ricciardi
In short, its simply not going to work the way my old Windows 2000 server
did, period.
What are your thoughs of running Server 2003 connected to the net w/o a
firewall?
Should i attepmt to get the windows software firewall configrued. Will that
allow DNS and other services to work properly while still preserving the
machine's security from hacks and vulnerabilities?
Ace Fekay [MVP]
Frank Ricciardi <FrankRi...@discussions.microsoft.com> typed:
> That was VERY helpful. Thank you!!
>
> In short, its simply not going to work the way my old Windows 2000
> server did, period.
>
> What are your thoughs of running Server 2003 connected to the net w/o
> a firewall?
>
> Should i attepmt to get the windows software firewall configrued.
> Will that allow DNS and other services to work properly while still
> preserving the machine's security from hacks and vulnerabilities?
Basically when I was running DNS for public zones on a 2000 box, and applies
to 2003, I disabled Client for Microsoft Networks, File and Print services
and NetBIOS. If you try this config, test it first. Of course I had a
firewall and only allowed UDP and TCP 53 from the Internet.
Give it a shot.
ce
Ace Fekay [MVP]
Frank Ricciardi <FrankRi...@discussions.microsoft.com> typed:
>
> In short, its simply not going to work the way my old Windows 2000
> server did, period.
>
> What are your thoughs of running Server 2003 connected to the net w/o
> a firewall?
>
> Should i attepmt to get the windows software firewall configrued.
> Will that allow DNS and other services to work properly while still
> preserving the machine's security from hacks and vulnerabilities?
>
Also, as I said, look into creating your own IPSec filters. Here is my
search string I used:
http://www.google.com/search?q=ipsec+filter&rls=com.microsoft:en-us:IE-SearchBox&ie=UTF-8&oe=UTF-8&sourceid=ie7&rlz=1I7ITVA
Here are some links I got from the above search for you to read up on. You
may want to look into the others as well.
To add or edit IPSec filters
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ipsec_filter-spec_create.mspx?mfr=true
How to use IPSec IP filter lists in Windows 2000
http://support.microsoft.com/kb/313190
How to block specific network protocols and ports by using IPSec
http://support.microsoft.com/default.aspx?scid=kb;[LN];813878
Ace