Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Configure Firewall for DNS

0 views
Skip to first unread message

phoenix

unread,
Apr 19, 2004, 8:48:02 PM4/19/04
to

dns servers listen on 53, but sending queries on high
number ports...to let dns server queries through, and not
to compromise security, any special considerations and
arrangements need to take when configure firewalls?

Kevin D. Goodknecht [MVP]

unread,
Apr 20, 2004, 9:02:40 AM4/20/04
to
In news:145201c42671$2279e3f0$a401...@phx.gbl,
phoenix <anon...@discussions.microsoft.com> posted a question
Then Kevin replied below:

Win2k3 DNS supports EDNS0 which allows UDP packets over 512 bytes, some
firewalls do not allow UDP packets over 512 bytes so the query will fail. If
the firewalll does not support EDNS0 check for a firmware update or disable
EDNS0 on the Win2k3.
828731 - An External DNS Query May Cause an Error Message in Windows Server
2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;828731&Product=winsvr2003

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your issue.
To respond directly to me remove the nospam. from my email.
==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================


pgoenix

unread,
Apr 20, 2004, 11:05:58 AM4/20/04
to

thanks kevin. for packets over 512, DNS will be using
IP, instead of UDP, so open IP 53 will resolve this.

more interested in on the DNS side what specification
needs to be provide to the firewall people, so they know
what are needed for DNS to function correctly, without
compromizing security, rather than to accomodate the
existing the firewall setup...

>.
>

Kevin D. Goodknecht [MVP]

unread,
Apr 20, 2004, 3:37:26 PM4/20/04
to
In news:192701c426e8$fc571490$a601...@phx.gbl,
pgoenix <anon...@discussions.microsoft.com> posted a question
Then Kevin replied below:

> thanks kevin. for packets over 512, DNS will be using
> IP, instead of UDP, so open IP 53 will resolve this.

Not true with Win2k3 DNS, EDNS0 supports UDP packets over 512 bytes which
many firewalls will reject. Read the article.

>
> more interested in on the DNS side what specification
> needs to be provide to the firewall people, so they know
> what are needed for DNS to function correctly, without
> compromizing security, rather than to accomodate the
> existing the firewall setup...
>

All DNS needs for out going connections is destination ports <1024 to source
port 53 UDP & TCP. If you are allowing incoming connections to this DNS
server, do just the opposite.

phoenix

unread,
Apr 20, 2004, 9:40:11 PM4/20/04
to

>-----Original Message-----
>In news:192701c426e8$fc571490$a601...@phx.gbl,
>pgoenix <anon...@discussions.microsoft.com> posted a
question
>Then Kevin replied below:
>> thanks kevin. for packets over 512, DNS will be using
>> IP, instead of UDP, so open IP 53 will resolve this.
>
>Not true with Win2k3 DNS, EDNS0 supports UDP packets
over 512 bytes which
>many firewalls will reject. Read the article.

EDNS0 can be disabled and then DNS packets over 512
octets will use TCP 53, which is the normal way for DNS
and no need to concern any device in a path not
supporting it...

>
>>
>> more interested in on the DNS side what specification
>> needs to be provide to the firewall people, so they
know
>> what are needed for DNS to function correctly, without
>> compromizing security, rather than to accomodate the
>> existing the firewall setup...
>>
>
>All DNS needs for out going connections is destination
ports <1024 to source
>port 53 UDP & TCP. If you are allowing incoming
connections to this DNS
>server, do just the opposite.
>

should that be "All DNS needs for out-going connections
is source ports >1023 and destination port 53 UDP & TCP.

If you are allowing incoming connections to this DNS

server, do just the opposite"?

>
>--
>Best regards,
>Kevin D4 Dad Goodknecht Sr. [MVP]
>Hope This Helps
>============================
>--
>When responding to posts, please "Reply to Group" via
your
>newsreader so that others may learn and benefit from
your issue.
>To respond directly to me remove the nospam. from my
email.
>==========================================
> http://www.lonestaramerica.com/
>==========================================
>Use Outlook Express?... Get OE_Quotefix:
>It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
>==========================================
>Keep a back up of your OE settings and folders with
>OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
>==========================================
>
>

>.
>

Kevin D. Goodknecht [MVP]

unread,
Apr 21, 2004, 10:27:00 AM4/21/04
to
In news:1dbf01c42741$95ce4fa0$a601...@phx.gbl,
phoenix <anon...@discussions.microsoft.com> posted a question
Then Kevin replied below:

>> All DNS needs for out going connections is destination ports <1024
>> to source port 53 UDP & TCP. If you are allowing incoming
>> connections to this DNS server, do just the opposite.
>>
>
> should that be "All DNS needs for out-going connections
> is source ports >1023 and destination port 53 UDP & TCP.
> If you are allowing incoming connections to this DNS
> server, do just the opposite"?

I stated it correct, an outgoing connection source is port 53.
On incoming connections the destination is port 53

254018 - How to Configure Input Filters for Services That Run Behind Network
Address Translation:
http://support.microsoft.com/default.aspx?scid=kb;en-us;254018

phoenix

unread,
Apr 21, 2004, 2:29:53 PM4/21/04
to

not really sure what you stated.

1) do not understand why you are saying <1024, as queries
will be dynamic and use high number ports (>1023).

2) to use bustion host name servers to do recursion on
Internet, on the firewall external side for outgoing
should be open to all IP address, and destination should
be 53; and for incoming, should be open to all IP
addresses with source 53.

>.
>

Kevin D. Goodknecht [MVP]

unread,
Apr 21, 2004, 5:20:58 PM4/21/04
to
In news:251101c427ce$a3b04140$a101...@phx.gbl,

phoenix <anon...@discussions.microsoft.com> posted a question
Then Kevin replied below:
> not really sure what you stated.
>
> 1) do not understand why you are saying <1024, as queries
> will be dynamic and use high number ports (>1023).
>
> 2) to use bustion host name servers to do recursion on
> Internet, on the firewall external side for outgoing
> should be open to all IP address, and destination should
> be 53; and for incoming, should be open to all IP
> addresses with source 53.
>
Sorry after all these years I got my less than(<) and higher than (>)
confused.
0 new messages