DDNS & IPFiltering

[David Cullum]

Current config:

2 domain controllers
2 DNS servers (pri & sec)
36 clients on DHCP using non-routable ip's (172.19.220.x)
web & mail running on sec dns

Problem:

Running app that requires messaging on ALL comps so dynamic updates a must.
DNS use 2 nics; one for ext & 1 for int access. Using IP filtering on
external nic for some security. Started with TCP & UDP port 53 with
protocols 6 & 17 open on external & all ports/protocols open on internal. On
forward lookup zone I lose the secondary server listing on the external zone
but internal zone still listed. DO NOT have dynamic updates checked on
either nic of either DNS server. After manually entering the IP's in the
forward lookup for the secondary DNS server, external listing dissappears
after about 2 hrs. Primary always stays there (obviously). I opened port 135
for the port mapper (which works now) but this is very dangerous. Welcome to
messages from every twit on the internet! Disabling the message service
kills those but now the app won't work properly.

Question:
Now, since port 53 is not the only port used for dynamic updates, what
port(s) is/are used? 137 (WINS)? 138 (NetBIOS datagram)? Any help from
anybody would be appreciated

 

[Ace Fekay [MVP]]

In

Current config:

2 domain controllers
2 DNS servers (pri & sec)
36 clients on DHCP using non-routable ip's (172.19.220.x)
web & mail running on sec dns

Problem:

Running app that requires messaging on ALL comps so dynamic updates a
must. DNS use 2 nics; one for ext & 1 for int access. Using IP
filtering on external nic for some security. Started with TCP & UDP
port 53 with protocols 6 & 17 open on external & all ports/protocols
open on internal. On forward lookup zone I lose the secondary server
listing on the external zone but internal zone still listed. DO NOT
have dynamic updates checked on either nic of either DNS server.
After manually entering the IP's in the forward lookup for the
secondary DNS server, external listing dissappears after about 2 hrs.
Primary always stays there (obviously). I opened port 135 for the
port mapper (which works now) but this is very dangerous. Welcome to
messages from every twit on the internet! Disabling the message
service kills those but now the app won't work properly.

Question:
Now, since port 53 is not the only port used for dynamic updates, what
port(s) is/are used? 137 (WINS)? 138 (NetBIOS datagram)? Any help from
anybody would be appreciated

Need a little more info on y our network configuration.

The dynamic response port from a Windows client is between UDP 1024 - 65534.
Obviously, difficult to safely administer.

Are you running AD?

I would actually suggest two DNS servers. One for the internal network. One
for the external network. From the internal DNS, setup a forwarder to the
external and only point all your internal machines to the external DNS
server.

If running AD and hosting external zone for Internet folks to resolve *and*
using internal private IP ranges, and you are hosting the same zone name and
AD is the same zone name *or* the internal net is a private range, then I
would say you need the two servers, one to host the public IPs and one to
host the private IPs.

If you need or want to stay with the one server, then on the external card,
disable NetBIOS, uncheck F&P Services and the MS Client service. This will
safe out external knucklheads trying to connect in to it thru NetBIOS and
eliminate your messenger pop ups. This way just the internal card is enabled
with those services. Also, move the internal card to the top of the binding
order in Network&Dialup Settings, Advanced menu, Advanced settings.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory