DNS lookup not working

  • Thread starter Thread starter tim_batiees
  • Start date Start date
T

tim_batiees

I have permit both TCP and UDP port 53 in the TCP/IP Filter. But it is
still blocked the DSN lookup.

Just wonder how to fix this? Thanks for advices!
 
What do you mean by tcp/ip filter? Also keep in mind that a client computer
uses port 53 UDP/TCP outbound with a random above number 1024 as the source
port for DNS name resolution traffic. Only DNS servers will use port 53
TCP/UDP as the source port. If you mean tcp/ip filtering that you configure
in the properties of the network adapter that will only filter inbound
traffic and a DNS client would be receiving responses from the DNS server on
the DNS client's source port. --- Steve
 
Thanks for reply.
Yes, I mean the TCP/IP filterimg of the network adapter. I set up the
TCP/IP filter propertities to only permits TCP port 80 and port 53 and
UDP ports 80 and port 53.

After reboot the machine, I can only access the Internet by IP number
but not by name.
Just wonder what the problem here?

Thanks,
 
That is exactly why it is not working because you have filtering enabled on
UDP and it is blocking return traffic to your computer from your ISP DNS
server. The only time you would want to enable UDP filtering for port 53
would be if you were running a DNS server. Here is a brief example why it is
not working. Your computer sends a DNS request to your ISP DNS server and
the destination port would be UDP 53 and the source port would be a randomly
assigned port above 1024 on your computer and we will say it is 1055. The
DNS server receives your request and notes that the request came from your
IP address and port 1055 on your computer. The DNS server replies with the
name resolution request and sends it to your IP address port 1055 UDP. When
it reaches your network adapter it is dropped because your network adapter
only allows traffic to port 53 UDP on your computer. Now TCP traffic is
stateful and tcp/ip filtering will allow response traffic [established
session] to your computer that was initiated by your computer but UDP is
not. Unfortunately since there is no way to predict what random port a
computer is going to use you would have to manually populate the UDP allowed
list with up to thousands of IP addresses since you can not specify a range.
Luckily with XP you have the built in Windows Firewall that you can use
which is stateful for UDP traffic. --- Steve
 
Thanks for reply, Steven.
Very clear.
Now the question is : How to block a specific IP? (I mean block a
specific IP's UDP and TCP packets)

Thanks,


That is exactly why it is not working because you have filtering enabled on
UDP and it is blocking return traffic to your computer from your ISP DNS
server. The only time you would want to enable UDP filtering for port 53
would be if you were running a DNS server. Here is a brief example why it is
not working. Your computer sends a DNS request to your ISP DNS server and
the destination port would be UDP 53 and the source port would be a randomly
assigned port above 1024 on your computer and we will say it is 1055. The
DNS server receives your request and notes that the request came from your
IP address and port 1055 on your computer. The DNS server replies with the
name resolution request and sends it to your IP address port 1055 UDP. When
it reaches your network adapter it is dropped because your network adapter
only allows traffic to port 53 UDP on your computer. Now TCP traffic is
stateful and tcp/ip filtering will allow response traffic [established
session] to your computer that was initiated by your computer but UDP is
not. Unfortunately since there is no way to predict what random port a
computer is going to use you would have to manually populate the UDP allowed
list with up to thousands of IP addresses since you can not specify a range.
Luckily with XP you have the built in Windows Firewall that you can use
which is stateful for UDP traffic. --- Steve



Thanks for reply.
Yes, I mean the TCP/IP filterimg of the network adapter. I set up the
TCP/IP filter propertities to only permits TCP port 80 and port 53 and
UDP ports 80 and port 53.

After reboot the machine, I can only access the Internet by IP number
but not by name.
Just wonder what the problem here?

Thanks,
 
Install a firewall (hardware or software) that has this feature.

--
Kerry
MS-MVP Windows - Shell/User

Thanks for reply, Steven.
Very clear.
Now the question is : How to block a specific IP? (I mean block a
specific IP's UDP and TCP packets)

Thanks,


That is exactly why it is not working because you have filtering
enabled on UDP and it is blocking return traffic to your computer
from your ISP DNS server. The only time you would want to enable UDP
filtering for port 53 would be if you were running a DNS server.
Here is a brief example why it is not working. Your computer sends a
DNS request to your ISP DNS server and the destination port would be
UDP 53 and the source port would be a randomly assigned port above
1024 on your computer and we will say it is 1055. The DNS server
receives your request and notes that the request came from your IP
address and port 1055 on your computer. The DNS server replies with
the name resolution request and sends it to your IP address port
1055 UDP. When it reaches your network adapter it is dropped because
your network adapter only allows traffic to port 53 UDP on your
computer. Now TCP traffic is stateful and tcp/ip filtering will
allow response traffic [established session] to your computer that
was initiated by your computer but UDP is not. Unfortunately since
there is no way to predict what random port a computer is going to
use you would have to manually populate the UDP allowed list with up
to thousands of IP addresses since you can not specify a range.
Luckily with XP you have the built in Windows Firewall that you can
use which is stateful for UDP traffic. --- Steve



Thanks for reply.
Yes, I mean the TCP/IP filterimg of the network adapter. I set up
the TCP/IP filter propertities to only permits TCP port 80 and port
53 and UDP ports 80 and port 53.

After reboot the machine, I can only access the Internet by IP
number but not by name.
Just wonder what the problem here?

Thanks,




Steven L Umbach wrote:
What do you mean by tcp/ip filter? Also keep in mind that a client
computer
uses port 53 UDP/TCP outbound with a random above number 1024 as
the source
port for DNS name resolution traffic. Only DNS servers will use
port 53 TCP/UDP as the source port. If you mean tcp/ip filtering
that you configure
in the properties of the network adapter that will only filter
inbound traffic and a DNS client would be receiving responses from
the DNS server on
the DNS client's source port. --- Steve


I have permit both TCP and UDP port 53 in the TCP/IP Filter. But
it is still blocked the DSN lookup.

Just wonder how to fix this? Thanks for advices!
 
You can't block a specific IP with tcp/ip filtering - just ports and
protocols in general. You could do that with a good hardware firewall or
software firewall. For XP Pro you can also can also create an ipsec
filtering policy in Local Security Policy by creating one that has a rule
using the block filter action for the ports/protocol/IP you want to block in
the filter. The link below shows the basics of creating an ipsec filtering
policy. Just be sure to carefully evaluate what are the source and
destination ports in the ipsec policy. When I use ipsec I usually configure
a block all rule and then another rule for the allowed exceptions having a
permit filter action. Ipsec filters work so that more specific rules
override more general rules as in if I create a rule to block all inbound
port 139 TCP and then another rule to allow inbound port 139 TCP from IP
192.168.1.55 that everything will be blocked to port 129 TCP other than from
IP 192.168.1.55. --- Steve

http://www.securityfocus.com/infocus/1559

Thanks for reply, Steven.
Very clear.
Now the question is : How to block a specific IP? (I mean block a
specific IP's UDP and TCP packets)

Thanks,


That is exactly why it is not working because you have filtering enabled
on
UDP and it is blocking return traffic to your computer from your ISP DNS
server. The only time you would want to enable UDP filtering for port 53
would be if you were running a DNS server. Here is a brief example why it
is
not working. Your computer sends a DNS request to your ISP DNS server and
the destination port would be UDP 53 and the source port would be a
randomly
assigned port above 1024 on your computer and we will say it is 1055. The
DNS server receives your request and notes that the request came from
your
IP address and port 1055 on your computer. The DNS server replies with
the
name resolution request and sends it to your IP address port 1055 UDP.
When
it reaches your network adapter it is dropped because your network
adapter
only allows traffic to port 53 UDP on your computer. Now TCP traffic is
stateful and tcp/ip filtering will allow response traffic [established
session] to your computer that was initiated by your computer but UDP is
not. Unfortunately since there is no way to predict what random port a
computer is going to use you would have to manually populate the UDP
allowed
list with up to thousands of IP addresses since you can not specify a
range.
Luckily with XP you have the built in Windows Firewall that you can use
which is stateful for UDP traffic. --- Steve



Thanks for reply.
Yes, I mean the TCP/IP filterimg of the network adapter. I set up the
TCP/IP filter propertities to only permits TCP port 80 and port 53 and
UDP ports 80 and port 53.

After reboot the machine, I can only access the Internet by IP number
but not by name.
Just wonder what the problem here?

Thanks,




Steven L Umbach wrote:
What do you mean by tcp/ip filter? Also keep in mind that a client
computer
uses port 53 UDP/TCP outbound with a random above number 1024 as the
source
port for DNS name resolution traffic. Only DNS servers will use port
53
TCP/UDP as the source port. If you mean tcp/ip filtering that you
configure
in the properties of the network adapter that will only filter inbound
traffic and a DNS client would be receiving responses from the DNS
server
on
the DNS client's source port. --- Steve


I have permit both TCP and UDP port 53 in the TCP/IP Filter. But it
is
still blocked the DSN lookup.

Just wonder how to fix this? Thanks for advices!
 
Back
Top