DNS through Firewall (RRAS)

[Bas]

Configured RRAS, through IP-Routing, as a firewall
(ip traffic filter) on a Win2k webserver and it works
fine for FTP, SMTP, webhosting en access through
pcAnywhere but can't browse the internet from within the
webserver.
I know it's caused by a blocked DNS. Tried all kinds of
DNS filter scenario's but nothing seems to works.

Is it not possible or do I have to install an internal
DNS server first and use the DNS forwarders in
combination with port 53 filtering?

Please help!

 

[Herb Martin]

Configured RRAS, through IP-Routing, as a firewall

(ip traffic filter) on a Win2k webserver and it works
fine for FTP, SMTP, webhosting en access through
pcAnywhere but can't browse the internet from within the
webserver.
I know it's caused by a blocked DNS. Tried all kinds of
DNS filter scenario's but nothing seems to works.

Open up the DNS (source 53 inbound and destination
outbound 53 on at least UDP but really on TCP too.)

Is it not possible or do I have to install an internal
DNS server first and use the DNS forwarders in
combination with port 53 filtering?

A forwarding server isn't likely to get through either --
unless you open the appropriate ports.

If you have internal DNS, then likely your clients should
use them and forward to a forwarder but that is separate
from not being able to pass traffic.

 

[Bas]

Already opened port 53 UDP and TCP inbound and outbound
in the same way as described in the Microsoft Knowledge
Base Article 310111 for opening PPTP VPN Client filter.

Under Input filters checked Destination network and put
in ip of external nic, choose TCP (and UDP) as protocol,
set destination port to 53 and selected "drop all packets
except those that meet the criteria". Under Output
filter selected Source network, filled in the ip of the
external nic, choose TCP (and UDP) as protocol, typed 53
as Source port and selected "drop all packets except
those that meet the criteria".


Tried all kinds of settings different from those above
but nothing worked.
Have I missed something (like another port or protocol)?

If you think that a DNS forwarding server doesn't do the
trick what will?

Someone told me once that port 53 is ok for outbound but
that inbound could be any port above 1024 or so. Maybe
there lies a solution but I can't see it.

 

[Brandy Griffin [MSFT]]

Win2000 NAT/firewall has a checkbox for allowing DNS traffic across the
firewall:

Right-click on Network Address Translation (NAT) and choose properties, and
click on the DNS Resolution tab. Check the box which says "Clients use
Domain Name Services (DNS)"

 

[Herb Martin]

Win2000 NAT/firewall has a checkbox for allowing DNS traffic across the
firewall:

Right-click on Network Address Translation (NAT) and choose properties, and
click on the DNS Resolution tab. Check the box which says "Clients use
Domain Name Services (DNS)"

That has nothing to do with "blocking DNS" requests.

It is about acting as a proxy or relay DNS server to your
clients -- it more or less turns the NAT or ICS into a
Caching-Only DNS server (although that terminology is
not used in reference to it by Microsoft.)

Win2000 NAT doesn't filter so there would need to be some
additional softwarde installed (or using IPSec etc) to block
DNS -- same for ICS on Win2000. XP has the firewall
which interacts in surprising ways with ICS so the OS
would be important here.

Using your suggestion he might be able to AVOID rather
than fix the original problem -- enable the DNS check box
in NAT, and then forward to this machine (or let clients
use this machine for their DNS) Make sure it is set to
use a nearby ISP's DNS server in it's own client properties.

 

[Bas]

Thanks for the input, finally figured it out. Had the DNS
settings OK all the time but had the input & output
filters for port 80 the wrong way around (so you can see
websites from within the server)

Als thanks for the tip about the checkbox (would have
never found it). Don't need it in the current setup (as a
standalone webserver), but will gonna need it for another
small (low budget) network.

Thank, Bas