Advanced TCP filter settings on IP protocol and DNS

  • Thread starter Thread starter Ian Parker
  • Start date Start date
I

Ian Parker

Hi,
A quick question that i have spent weeks trying to find the answer to.

Under network card / internet protocol / properties / advanced /options /
tcp/ip filtering / properties and enabling TCP / IP filtering and Filtering
all TCP except 20, 21, 53, 80 etc and UDP 53 I still cannot get a DNS lookup
to work.

I assume it has something to do with the DNS request doing a zone transfer
and using another port ( > 1024 ) from what I've read.

How do I get DNS to always use say 1111 to do the transfer ( assuming that
is the problem ) so I can add 1111 to the filter list.

This is on a windows 2000 server.

Thanks in advance

Ian.
 
In
Ian Parker said:
Hi,
A quick question that i have spent weeks trying to find the answer to.

Under network card / internet protocol / properties / advanced
/options / tcp/ip filtering / properties and enabling TCP / IP
filtering and Filtering all TCP except 20, 21, 53, 80 etc and UDP 53
I still cannot get a DNS lookup to work.

I assume it has something to do with the DNS request doing a zone
transfer and using another port ( > 1024 ) from what I've read.

How do I get DNS to always use say 1111 to do the transfer ( assuming
that is the problem ) so I can add 1111 to the filter list.

This is on a windows 2000 server.

Thanks in advance

Ian.
Click to expand...

Try this, but test it out first to make sure it works because it affects all
transfers and recursive requests:

SendPort for DNS:
http://www.microsoft.com/windows200...2000/techinfo/reskit/en-us/regentry/95408.asp

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
IP> I assume it has something to do with the DNS request doing a
IP> zone transfer and using another port ( > 1024 ) from what
IP> I've read.

Neither query resolution nor forwarding depend from performing "zone
transfers". Your assumption has no apparent foundation. What did you
read that made you think that this was the case ?

Determine whether your proxy DNS server is forwarding to other proxy
DNS servers or resolving queries itself, and knock the appropriate
shape of hole into your firewall for whichever is the case.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-shaped-firewall-holes.html>
 
In addition to what Ace said, I would not use the filtering in the tcp
properties. These are very raw and basic filters with not statefulness.
This makes it hard or impossible to do things like dynamic client side ports
(your problem.) Use the RRAS input/output filters instead or buy ISA
firewall (or other) to get real protection. hth
--wjs
 
Thanks for info.
The basic TCP filter is used solely as a back stop should the software and
hardware firewalls fail, or as has happened in the past - turned off while
someone is "fixing" something. You can never be too protected.

Again thank you for your help
 
Back
Top