DNS Ports

[Jeromy]

What port or ports do I need to open on my firewall to have others resolve
to my DNS? I have been reading and notice that port 53 is for DNS, but I'm
not sure if this port is used for resolution. Thanks

Jeromy

[Simon Geary]

TCP port 53 is used for all DNS resolution and UDP port 53 is used for zone
transfers. Open these two ports and you should be fine.

"Jeromy" <jero...@hotmail.com> wrote in message
news:eTl76AGe...@TK2MSFTNGP11.phx.gbl...

[Jeromy]

Thanks for the help.

Jeromy

"Simon Geary" <simon...@hotmail.com> wrote in message
news:eYLiPLGe...@TK2MSFTNGP09.phx.gbl...

[Keith W. McCammon]

You have that backwards, and over-generalized.

UDP port 53 is *typically* used for name resolution. TCP port 53 can also
be used for name resolution if the data is too large to send via UDP.

TCP port 53 is also used for zone transfers.

"Simon Geary" <simon...@hotmail.com> wrote in message
news:eYLiPLGe...@TK2MSFTNGP09.phx.gbl...

[William Stacey]

In addition to what Keith said, I think there can be occasions (if using
multiple nics) that the reply could come from a nic other then the nic that
received the query. This could effect your rules.

--
William Stacey, DNS MVP

"Simon Geary" <simon...@hotmail.com> wrote in message
news:eYLiPLGe...@TK2MSFTNGP09.phx.gbl...

[Keith W. McCammon]

Yeah, that can be a huge pain in the a*, particularly in the case of UDP
replies via stateful firewalls.

"William Stacey" <sta...@mvps.org> wrote in message
news:ODTaSaHe...@TK2MSFTNGP10.phx.gbl...

[Ace Fekay [MVP]]

To add to the mess, if using DNS to resolve for extgernal name lookups, you
have to allow UDP above 1023 for the dynamic response port or it won't work.
I've tested it without opening this and wound up having to open it.

I hate opening the whole range to my DNS server. So I tried the
SendsOnDnsPort reg key and set it to 53 (supposedly to force it to use only
53), but that didn't work either.

If anyone else has a suggestion to this, be glad to entertain it, otherwise,
stuck with the whole range.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

"Jeromy" <jero...@hotmail.com> wrote in message
news:eTl76AGe...@TK2MSFTNGP11.phx.gbl...

[Jonathan de Boyne Pollard]

J> What port or ports do I need to open on my firewall to have
J> others resolve to my DNS?

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-shaped-firewall-holes.html>

[Jonathan de Boyne Pollard]

WS> [...] I think there can be occasions (if using multiple nics)
WS> that the reply could come from a nic other then the nic that
WS> received the query. This could effect your rules.

Microsoft's DNS client (in Windows NT, at least - DOS+Windows is different)
doesn't discard such responses, unless the "QueryIpMatching" setting is
enabled as per CERT vulnerability note VU#458659, but most other DNS clients
do. Given the facts that not checking for address mismatches between query
and response DNS/UDP datagrams greatly widens a security vulnerability, and
that such mismatches will also cause interoperability problems anyway; it's
not really worth the effort of accommodating them.

[Jonathan de Boyne Pollard]

AF> So I tried the SendsOnDnsPort reg key [...]

Was that the actual way that you spelled it ? Or did you spell it
"SendOnNonDNSPort" ?

[Patrick]

Are you sure you want to do this. Normally people
register any internal webhosts they want to publish with
their external DNS, and expose their internal webhosts by
opening ports or redirecting requests with the firewall.

Allowing others to query against your internal DNS could
be a security risk.

>.
>

[Ace Fekay [MVP]]

Actually I did since I just copied and pasted it out of:
198410 - Microsoft DNS Server Registry Parameters, Part 3 of 3:
http://support.microsoft.com/?id=198410

So I knew I spelled it correctly, not withstanding my misspelling of it in
my post. I restarted the server too, then removed the permit UDP gt 1023
rule. Didn't work. I followed the article. What's confusing is that it says
this is the port it sends to other DNS servers and default is blank, which
means 53. I thought possibly it was the response from my forwarders, but
they're both BIND servers (8.1.2 and 9.2.2).

Any thoughts?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

"Jonathan de Boyne Pollard" <J.deBoyn...@Tesco.NET> wrote in message
news:3F6188CE...@Tesco.NET...

[Jonathan de Boyne Pollard]

AF> Actually I did since I just copied and pasted it [...]

I suspected that that was the case.

AF> Any thoughts?

What port was the DNS server actually using in each case ?

[Ace Fekay [MVP]]

In news:3F658BCA...@Tesco.NET,
Jonathan de Boyne Pollard <J.deBoyn...@Tesco.NET> posted their
thoughts, then I offered mine

>> Actually I did since I just copied and pasted it [...]
>
> I suspected that that was the case.
>

>> Any thoughts?
>
> What port was the DNS server actually using in each case ?

Random ports. IIRC, watching my router's logs scrolling by as I was doing
it, 1034, then another, I think 1063. I would need to disable >1023 again to
test it again. I'll let you know after I try it again. It's tough during the
day since I have mulitple production machines requiring resolution. Early
Sunday morning is the best time I've found to test this.