Ephemeral ports in Windows2000 (a way to fix the port for queries to root DNS servers)

R

Roy Valenciano

Does anybody know how to fix the ports used for W2K when it queries root DNS
servers ?

We want to protect a DNS server throu ACLs, the problem is: according to the
Technet, W2K uses ephemeral ports (1024..5000) for such queries, which means
all that port range has to be open on the ACL, in order to permit the
entrance of the returning traffic throu the Router. We want that the DNS
server uses only a fixed port, let's say UDP 53, as it did on NT 4.

Thank you.
 
A

Ace Fekay [MVP]

In
Roy Valenciano said:
Does anybody know how to fix the ports used for W2K when it queries
root DNS servers ?

We want to protect a DNS server throu ACLs, the problem is: according
to the Technet, W2K uses ephemeral ports (1024..5000) for such
queries, which means all that port range has to be open on the ACL,
in order to permit the entrance of the returning traffic throu the
Router. We want that the DNS server uses only a fixed port, let's say
UDP 53, as it did on NT 4.

Thank you.
Click to expand...

I hate those emperial ports. You can force it thru the reg. Read up on it:

SendPort for DNS (is what you need to know about):
http://www.microsoft.com/windows200...2000/techinfo/reskit/en-us/regentry/95408.asp

Read up on this. In part 3 there's info about the SendOnNonDnsPort.
Some more info on reg entries for DNS:
198410 - Microsoft DNS Server Registry Parameters, Part 3 of 3:
http://support.microsoft.com/?id=198410
198409 - Microsoft DNS Server Registry Parameters, Part 2 of 3:
http://support.microsoft.com/?id=198409
198408 - Microsoft DNS Server Registry Parameters, Part 1 of 3:
http://support.microsoft.com/?id=198408

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
J

Jonathan de Boyne Pollard

RV> We want to protect a DNS server throu[gh] ACLs, the problem is:

The problem is that you don't understand what you are doing and why.
Ephemeral ports are a good thing. What you are supposedly protecting your DNS
server from is response spoofing. But part of what makes responses difficult
(albeit not very difficult - The DNS protocol was not well designed.) to spoof
is that an attacker has to guess both message ID and local port number. If
you fix the local port number, in the way that you are wanting to, all that an
attacker has to do is guess the message ID. You merely make the attack quite
a lot easier.

<URL:http://cr.yp.to/djbdns/forgery.html>
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Best Practices for Forwarded DNS Queries 8
dnslint error message - server did not respond to udp queries 3
Forwarders & Firewall Ports 4
DNS/port filter prob on Win2k webserver 2
DNS excessive traffic root hints 14
DNS Zone transfers not occuring 1
packets to DNS port 53 from W2K AD server from olmost random source ports 3
DNS - how to setup dns to give out external IP not internal 2

Top