DNS & Firewall

  • Thread starter Thread starter Todd Ellington
  • Start date Start date
T

Todd Ellington

I have a Windows 2000 Server that is being upgraded to Active Directory
(Mainly so that we can use Exchange Server) We are also planning on using
the DNS server as well - not for intranet naming! This will be a dns server
for live domain names, websites, etc...

This is the first of many posts I fear but the question at hand is this... I
am running a software-based firewall on the server. What ports need to be
open for DNS to operate & communicate properly with the rest of the net?
Also wondering if anyone knows the ports I need to open for Active
Directory.

THANKS!
Todd
 
In
Todd Ellington said:
I have a Windows 2000 Server that is being upgraded to Active
Directory (Mainly so that we can use Exchange Server) We are also
planning on using the DNS server as well - not for intranet naming!
This will be a dns server for live domain names, websites, etc...
Click to expand...

If you are going to use a local DNS server for public domains and an Active
Directory domain, You Must have a bare minimum of two DNS servers; One for
Public Access (which would need to be listening on two public IP addresses);
plus one for Local access and your AD domain. But you should have a minimum
of three, two public and one local; recommended is four two each local and
public.
Internal machines should not see the public DNS and external machines should
not see the internal DNS.

I could go into all the hoopla as to the reason you should not try this but
that is not why I'm here. I'm sure there will be somae chime in on that
subject so I'll leave that up to them.
This is the first of many posts I fear but the question at hand is
this... I am running a software-based firewall on the server. What
ports need to be open for DNS to operate & communicate properly with
the rest of the net? Also wondering if anyone knows the ports I need
to open for Active Directory.
Click to expand...

I would highly recommend you not try to operate AD through a firewall, it
would be pointless to have a firewall because it would be like swiss cheese
(full of holes). But that was not your question so here goes for Some
articles to read (print them you will need it on paper)
Active Directory Replication over Firewalls - Microsoft Service Providers
http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec_p63623.asp

254018 - How to Configure Input Filters for Services That Run Behind Network
Address Translation
http://support.microsoft.com/default.aspx?scid=kb;en-us;254018
 
You need to open TCP and UDP ports 53 for inbound
and outbound. That is sufficient to resolve queries in
both directions and perform zone transfers.

You also (IMO) need to scrap your software firewall and get
a hardware unit if you plan to expose any server to
the public Internet, especially one running AD. This need
not be an expensive undertaking.

I can think of no circumstances under which I would
expose Active Directory ports to the public Internet.
But anyway, because of the way RPC ports are allocated, it
is difficult to accomplish through any firewall. You can
check the MS KB as there are a couple of good articles
that explain this in considerable detail.

Steve Duff, MCSE
Ergodic Systems, Inc.
 
Kevin,

Thanks for the info. You can probably help me here... The only reason I'm
installing Active Directory is so that I can use MS Exchange chat server.
One of my web sites will be using it. It is a rather heavy-traffic site and
I don't trust the few other windows-based irc servers on the market to
handle loads like this. UNIX isn't an option for several reasons so that
leaves me with little choice.

If I installed AD and only permitted port 53, will the server act normally?
It's the only server I have. No big network or anything. I host several web
sites on the server though.

Is this all overkill for just a chat server? I'm worried about load-handling
and I trust Exchange over other solutions.

Thanks,
Todd
 
In
Todd Ellington said:
Kevin,

Thanks for the info. You can probably help me here... The only reason
I'm installing Active Directory is so that I can use MS Exchange chat
server. One of my web sites will be using it. It is a rather
heavy-traffic site and I don't trust the few other windows-based irc
servers on the market to handle loads like this. UNIX isn't an option
for several reasons so that leaves me with little choice.

If I installed AD and only permitted port 53, will the server act
normally? It's the only server I have. No big network or anything. I
host several web sites on the server though.

Is this all overkill for just a chat server? I'm worried about
load-handling and I trust Exchange over other solutions.
Click to expand...
Personally, I would leave the public DNS with the registrar and just use
your local server for local resolution, you're going to need that anyway for
sure. Then the only thing you will be exposing to the internet is the chat
server. The fewer incoming ports you have open the better.
That being said, you will not be able to use your local DNS for people on
the internet because it will hold records with private non-routable
addresses, you are going to need that yourself or you won't be able to
access your on network by name.
 
Well, presently I have 3 servers online. 2 UNIX and one Windows 2000. One
UNIX hosts dns, the other hosts about 30 sites then the windows server hosts
another 30 sites... I'm consolidating everything down to the one windows
server while at the same time adding the DNS server (if possible) The
server is being hosted at a collocation.

I'm gathering from your response that I'm hosting the server from my house?
Using the registrar is not possible either because some of my customers
register their own domains so I don't have controll over the domains unless
they point them to my dns servers.
 
I've actually found that UDP 1024+ needs to be opened inbound to the DNS
server too for resolution, due to the emphereal port MS DNS opens up.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Thanks for all the info! The only thing is, we're eliminating the unix
servers completely and will only have this windows server online at the data
center. This is for financial reasons. I simply can't afford more than one
server right now.

"Ace Fekay [MVP]"
 
In
Todd Ellington said:
Well, presently I have 3 servers online. 2 UNIX and one Windows 2000.
One UNIX hosts dns, the other hosts about 30 sites then the windows
server hosts another 30 sites... I'm consolidating everything down to
the one windows server while at the same time adding the DNS server
(if possible) The server is being hosted at a collocation.

I'm gathering from your response that I'm hosting the server from my
house? Using the registrar is not possible either because some of my
customers register their own domains so I don't have controll over
the domains unless they point them to my dns servers.
Click to expand...

To address your question about ports, there are over 30 ports for AD and is
really not advisable making them available publicly.

179442 - How to Configure a Firewall for Domains and Trusts:
http://support.microsoft.com/?id=179442

Download details Active Directory in Networks Segmented by Firewalls:
http://www.microsoft.com/downloads/...familyid=c2ef3846-43f0-4caf-9767-a9166368434e

Q289241 - A List of the Windows 2000 Domain Controller Default Ports:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q289241&

Active Directory Replication over Firewalls - Microsoft Service Providers:
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp

As for AD and Exchange and making chat available, you can do this on the
INternet, but you do not need to allow all of AD's ports exposed. All you
really need is port 80 for the web based chat service, just as you would for
Exchange's OWA access. Port 443 if you were to use SSL. There maybe a couple
other ports required. I provided a couple links below.

MD DNS requires TCP & UDP 53 as well as UDP 1024 to 65534. Yes, that is a
wide range, but it's the way it works. BIND doesn't require that.

As Kevin suggested, stick with a separate DNS server for AD, and would be
easier to use MS' DNS services for this. Do not expose this publicly. The
other two Unix BIND servers can be for your public records. Set up a
forwarder from the MS DNS to your public BIND servers.

You'll want this MS DNS server to be hosted locally for AD/Exchange. If you
ask me, make it the domain controller. Don't want this server to be at a
co-lo when the AD & Exchange services are the only ones that require it's
use. Public access to Chat will be thru web services. If using Net Meeting,
that takes a little more, as stated here:
http://www.microsoft.com/windows/netmeeting/corp/reskit/chapter4/default.asp

More info on Chat:
Exchange 2000 Server - Chat and Instant Messaging Services:
http://www.microsoft.com/technet/prodtechnol/exchange/exchange2000/reskit/part5/c19chat.asp


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
In
Todd Ellington said:
Thanks for all the info! The only thing is, we're eliminating the unix
servers completely and will only have this windows server online at
the data center. This is for financial reasons. I simply can't afford
more than one server right now.
Click to expand...

I see. Since you *already* have mutliple servers, can't you use one of them
for public data? For security concerns, I would not host my private domain
data on a public network (the Internet). Please keep that in mind and weigh
out Securty vs $$. What's cheaper in the long run if your server were to get
compromised?


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Hello All,

The below article may shed some light on your question.

179442 How to Configure a Firewall for Domains and Trusts
http://kb/article.asp?id=Q179442

For Windows 2000
+========================+=============+=============+
| Client Port(s) | Server Port |
Service |
+========================+=============+=============+
| 1024-65535/TCP | 135/TCP | RPC *
|
+========================+=============+=============+
| 1024-65535/TCP/UDP | 389/TCP/UDP | LDAP |
+========================+=============+=============+
| 1024-65535/TCP | 636/TCP | LDAP SSL
|
+========================+=============+=============+
| 1024-65535/TCP | 3268/TCP | LDAP GC
|
+========================+=============+=============+
| 1024-65535/TCP | 3269/TCP | LDAP GC SSL
|
+========================+=============+=============+
| 53,1024-65535/TCP/UDP | 53/TCP/UDP | DNS |
+========================+=============+=============+
| 1024-65535/TCP/UDP | 88/TCP/UDP | Kerberos |
+========================+=============+=============+
| 1024-65535/TCP | 445/TCP | SMB
+========================+=============+=============+


Shane Brasher
MCSE (2000,NT),MCSA, A+
Microsoft Platforms Support
Windows NT/2000 Networking
 
Hi Shane,

I've found that it's not necessary to open TCP 1024-65534 according to that
article, for DNS to work. However, UDP 1024-65534 is required. I've tried to
force it thru the DnsSendPort reg entry to 53 to force TCP/UDP 53 only, but
it didn't seem to work for me, unless I did something wrong.

Thanks!
--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Hello Ace,

Nice to hear from you again. TCP 53 is for zone transfers. UDP 53 are for
queries.
What does a trace show on the DNS response going out and what kind of
queries are these.
NSLOOKUP, web, third party app?

Shane Brasher
MCSE (2000,NT),MCSA, A+
Microsoft Platforms Support
Windows NT/2000 Networking
 
Hello Ace,

You are correct the client source port will be ephemeral.
If you are referencing

260186 SendPort DNS Registry Key Does Not Work as Expected
http://kb/article.asp?id=Q260186

Please check to see if you had this key as well:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

Value Name: SendOnNonDnsPort
Data Type : REG_DWORD
Data : Appropriate port # (53 is default) (port numbers are in decimal)

These two reghacks are not seem compatable.

Shane Brasher
MCSE (2000,NT),MCSA, A+
Microsoft Platforms Support
Windows NT/2000 Networking
 
In
Shane Brasher said:
Hello Ace,

Nice to hear from you again. TCP 53 is for zone transfers. UDP 53
are for queries.
What does a trace show on the DNS response going out and what kind of
queries are these.
NSLOOKUP, web, third party app?

Shane Brasher
MCSE (2000,NT),MCSA, A+
Microsoft Platforms Support
Windows NT/2000 Networking
Click to expand...

Hi Shane,

Query types are mostly web or email. I'm hosting about 25 clients and many
of them started calling within an hour of my changes. I haven't done a
capture yet on this, just simple tests, such as change the DnsSendPort key,
restarted, cleared my client side cache, and tried it again. Just won't go
out. I finally opened the upper ports and that brought it back up, but
really ran out of time to work on it. Nslookups on my own machine i usually
do with a +vc to force TCP to get responses since that upper range is not
opened to my workstation.

Guess I'll have to sit down and work with it from scratch to see where it's
failing or where I'm failing....


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Thanks for the pointers, Shane. Have to look at that one. Didn't know that
article existed. I'll post back and let you know.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top