Zone transfers - Port Requirements
Alan Maddison
TCP/IP filtering. However when a zone transfer is
initiated the process attempts to open a UDP port(s)
presumably above 1024. Does anyone know if there is a
consistent port number associated with this process or if
I can force it to use a particular port number. The goal
being to minimize the number of UDP ports that are
allowed through the filter.
Thanks.
Alan
Todd J Heron
DNS zone transfers use TCP port 53. DNS queries use UDP port 53.
--
Todd J Heron, MCSE
Windows 2003/2000/NT
"Alan Maddison" <anon...@discussions.microsoft.com> wrote in message
news:216a01c49a6a$59e09d80$a401...@phx.gbl...
Alan Maddison
servers where Zone transfers from the Primary/Master
Server to the Secondary Server are using UDP ports above
1024 for data transfer, after the initial request to Port
53 on the Primary server.
I am trying to understand what these port numbers are and
if they are random if there is a way to configure them.
Alan
>.
>
William Stacey [MVP]
Bind. The reason for this is a low level socket "feature". As the server
is already listening on x.x.x.x:53, it can not use that socket to also send
as it is the Accept socket, so it needs to send on another socket that is
not bound to 53 - hence the ephemeral port you see. UDP is allowed to send
on same socket as "listen" socket, so 53 could be use - but XFRs are all
done with TCP so UDP does not help. HTH.
--
William Stacey, MVP
"Alan Maddison" <anon...@discussions.microsoft.com> wrote in message
news:1f0c01c49a6e$0be60300$a501...@phx.gbl...
Todd J Heron
--
Todd J Heron, MCSE
Windows 2003/2000/NT
"William Stacey [MVP]" <stacey...@mvps.org> wrote in message
news:e1en$pomEH...@tk2msftngp13.phx.gbl...
William Stacey [MVP]
--
William Stacey, MVP
Jonathan de Boyne Pollard
AM> filtering.
<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-shaped-firewall-holes.html#ZoneTransfer>
AM> Does anyone know if there is a consistent port number associated
with this process [...?]
Yes.
Maddison@discussions.microsoft.com Alan Maddison
Very informative answer. Thanks. It does raise some additional questions:
1. Is the the outbound TCP connection port configurable via the registry?
2. If not then it becomes impractical to use MS TCP filters on the NIC
because of the random nature. Is this true?
Thanks.
Alan
Alan Maddison
Thanks for the input. You have confirmed what William said but the problem
remains in that opening TCP ports 1024-65535 is not much better than turning
off filtering assuming that you have nothing listening in the well-known port
range. I am going to turn off filtering to make this problem go away.
William Stacey [MVP]
TMK, not for TCP. When the client (i.e. the xfr puller) connects, the TCP
listen socket accepts a new socket. This new socket is on a random free
port.
> 2. If not then it becomes impractical to use MS TCP filters on the NIC
> because of the random nature. Is this true?
True. I have found the TCP filters to be too basic to be practicle for use.
Use ISA or other firewall if possible.
--
William Stacey, MVP
Jonathan de Boyne Pollard
That depends from the capabilities of your firewall and whether it can distinguish[...] but the problem remains in that opening TCP ports 1024-65535 is not much better than turning off filtering assuming that you have nothing listening in the well-known port range.<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-shaped-firewall-holes.html#ZoneTransfer>I am trying to secure a Secondary DNS server using MS TCP/IP filtering.
connect() from listen(). You
have to enable only TCP
connections from those local ports, not TCP connections to
those
local ports.Alan Maddison
I really appreciate the help you have been very thorough in your responses.
Unfortunately I am using the MS built in TCP filtering on W2K3 which does not
give me the flexibility that I need based on your response.
This is not a show stopper for me because this attempt to secure traffic at
the OS kernel level was the last layer I was tackling. The Primary and
Secondary servers share a DMZ behind a PIX and so they are secure I was just
trying to be thorough.
Alan
"Jonathan de Boyne Pollard" wrote:
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
> <title></title>
> </head>
> <body bgcolor="#ffffff" text="#000000">
> <br>
> <blockquote cite="mid5DE35883-35D3-4E...@microsoft.com"
> type="cite">
> <pre wrap=""><blockquote type="cite"><pre wrap=""><blockquote
> type="cite"><pre wrap=""><pre wrap=""><span class="moz-txt-citetags"></span>I am trying to secure a Secondary DNS server using MS TCP/IP <span
> class="moz-txt-citetags"></span>filtering.</pre></pre></blockquote><span
> class="moz-txt-citetags"></span><span class="moz-txt-citetags"></span><span
> class="moz-txt-link-rfc1738"><URL:<a
> href="http://homepages.tesco.net./%7EJ.deBoynePollard/FGA/dns-shaped-firewall-holes.html#ZoneTransfer">http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-shaped-firewall-holes.html#ZoneTransfer</a>></span></pre></blockquote>[...] but the problem remains in that opening TCP ports 1024-65535 is not much better than turning off filtering assuming that you have nothing listening in the well-known port range. </pre>
> </blockquote>
> That depends from the capabilities of your firewall and whether it can
> distinguish <code>connect()</code> from <code>listen()</code>. You
> have to enable only TCP
> connections <em>from</em> those local ports, not TCP connections <em>to</em>
> those
> local ports.<br>
> </body>
> </html>
>
William Stacey [MVP]
other ports you need. You need to figure out all the ports you may need for
proper server function.
--
William Stacey, MVP
"Alan Maddison" <AlanMa...@discussions.microsoft.com> wrote in message
news:4B7B3C30-0BE7-48D9...@microsoft.com...