DNS/port filter prob on Win2k webserver

[JBowler]

We have Win2k server hosting many websites. We are having a problem when
trying to ping/dnslookup and resolve any domains from the server. We have
found the problem to be the IP/UDP filtering on the network card. We have
only ports 80, 21, and 53 open for traffic both TCP and UDP. DNS (port 53)
should use the forwarder configured to the master BIND DNS server for domain
resolution but it will not work. It keeps trying to resolve locally becasue
it can not make a successful query to the master DNS server. We have even
bound the IP address of the master DNS server to the network card so it will
resolve naturally from there. After a lot of trial and error we have found
that if we unfilter all UDP ports the DNS works correctly.

Does anyone know why this is? Can anyone provide any idea as to how we may
overcome this? I read a MS KB - 268674 and it was talking about DHCP and
DNS working together. We cant put DHCP on a live webserver for obvious
reasons but may use it on the second network card for 192.196.xxx as a dummy
network. Anyone have any thoughts about a second UDP port that needs
opening? The obvious answer is to have a firewall that blocks all traffic
etc, etc. We do but with a server farm we also have IP security on each
server. Any help is appreciated.

JBowler

 

[Steven L Umbach]

That is the nature of IP filtering for udp - it does not keep track of the state of
the connection and realize that inbound traffic to the above 1024 unprivileged port
to your computer from port 53 from the external dns server is a response packet and
is therefore blocked. Ipsec filtering can be used to manage udp traffic in your
situation. Create a ipsec policy with a default "block all" mirrored rule for udp
traffic and then add the exception for dns udp as in a rule that would be mirrored
and allow all traffic to port 53, from any port, from "my computer" to any computer
[or particular dns servers] The link below is an example of how to use ipsec
filtering. A nice thing about ipsec policies is they take effect almost immediately
after being assigned or unassigned and do not require a reboot. --- Steve

http://www.securityfocus.com/infocus/1559

 

[Kevin D. Goodknecht Sr. [MVP]]

In

We have Win2k server hosting many websites. We are having a problem
when trying to ping/dnslookup and resolve any domains from the
server. We have found the problem to be the IP/UDP filtering on the
network card. We have only ports 80, 21, and 53 open for traffic both
TCP and UDP. DNS (port 53) should use the forwarder configured to the
master BIND DNS server for domain resolution but it will not work. It
keeps trying to resolve locally becasue it can not make a successful
query to the master DNS server. We have even bound the IP address of
the master DNS server to the network card so it will resolve
naturally from there. After a lot of trial and error we have found
that if we unfilter all UDP ports the DNS works correctly.

Does anyone know why this is? Can anyone provide any idea as to how
we may overcome this? I read a MS KB - 268674 and it was talking
about DHCP and DNS working together. We cant put DHCP on a live
webserver for obvious reasons but may use it on the second network
card for 192.196.xxx as a dummy network. Anyone have any thoughts
about a second UDP port that needs opening? The obvious answer is to
have a firewall that blocks all traffic etc, etc. We do but with a
server farm we also have IP security on each server. Any help is
appreciated.

JBowler

The obvious thing your missing is that you have to open ports for outgoing
connections Which is UDP and TCP ports over 1024. The packet filter on your
interface is not suitable for this the ports you opened are only for
incoming connections. You need a firewall which will let you make outgoing
connections at the application level.
832017 - Port Requirements for the Microsoft Windows Server System:
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017&Product=win2000