Advanced TCP filter settings on IP protocol and DNS

I

Ian Parker

Hi,
A quick question that i have spent weeks trying to find the answer to.

Under network card / internet protocol / properties / advanced /options /
tcp/ip filtering / properties and enabling TCP / IP filtering and Filtering
all TCP except 20, 21, 53, 80 etc and UDP 53 I still cannot get a DNS lookup
to work.

I assume it has something to do with the DNS request doing a zone transfer
and using another port ( > 1024 ) from what I've read.

How do I get DNS to always use say 1111 to do the transfer ( assuming that
is the problem ) so I can add 1111 to the filter list.

This is on a windows 2000 server.

Thanks in advance

Ian.
 
A

Ace Fekay [MVP]

In
Ian Parker said:
Hi,
A quick question that i have spent weeks trying to find the answer to.

Under network card / internet protocol / properties / advanced
/options / tcp/ip filtering / properties and enabling TCP / IP
filtering and Filtering all TCP except 20, 21, 53, 80 etc and UDP 53
I still cannot get a DNS lookup to work.

I assume it has something to do with the DNS request doing a zone
transfer and using another port ( > 1024 ) from what I've read.

How do I get DNS to always use say 1111 to do the transfer ( assuming
that is the problem ) so I can add 1111 to the filter list.

This is on a windows 2000 server.

Thanks in advance

Ian.
Click to expand...

Try this, but test it out first to make sure it works because it affects all
transfers and recursive requests:

SendPort for DNS:
http://www.microsoft.com/windows200...2000/techinfo/reskit/en-us/regentry/95408.asp

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
J

Jonathan de Boyne Pollard

IP> I assume it has something to do with the DNS request doing a
IP> zone transfer and using another port ( > 1024 ) from what
IP> I've read.

Neither query resolution nor forwarding depend from performing "zone
transfers". Your assumption has no apparent foundation. What did you
read that made you think that this was the case ?

Determine whether your proxy DNS server is forwarding to other proxy
DNS servers or resolving queries itself, and knock the appropriate
shape of hole into your firewall for whichever is the case.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-shaped-firewall-holes.html>
 
W

William Stacey

In addition to what Ace said, I would not use the filtering in the tcp
properties. These are very raw and basic filters with not statefulness.
This makes it hard or impossible to do things like dynamic client side ports
(your problem.) Use the RRAS input/output filters instead or buy ISA
firewall (or other) to get real protection. hth
--wjs
 
I

Ian Parker

Thanks for info.
The basic TCP filter is used solely as a back stop should the software and
hardware firewalls fail, or as has happened in the past - turned off while
someone is "fixing" something. You can never be too protected.

Again thank you for your help
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

TCP/IP filtering and opening DNS 1
port filtering 5
DNS/port filter prob on Win2k webserver 2
DNS Problem TCP / UDP 5
Ip Filtering 3
best practice dns 5
Windows 2000 Server Keeps Losing TCP/IP Settings. 3
IP Filtering and DNS Problem... 7

Top