Ephemeral ports in Windows2000 (a way to fix the port for queries to root DNS servers)

  • Thread starter Thread starter Roy Valenciano
  • Start date Start date
R

Roy Valenciano

Does anybody know how to fix the ports used for W2K when it queries root DNS
servers ?

We want to protect a DNS server throu ACLs, the problem is: according to the
Technet, W2K uses ephemeral ports (1024..5000) for such queries, which means
all that port range has to be open on the ACL, in order to permit the
entrance of the returning traffic throu the Router. We want that the DNS
server uses only a fixed port, let's say UDP 53, as it did on NT 4.

Thank you.
 
In
Roy Valenciano said:
Does anybody know how to fix the ports used for W2K when it queries
root DNS servers ?

We want to protect a DNS server throu ACLs, the problem is: according
to the Technet, W2K uses ephemeral ports (1024..5000) for such
queries, which means all that port range has to be open on the ACL,
in order to permit the entrance of the returning traffic throu the
Router. We want that the DNS server uses only a fixed port, let's say
UDP 53, as it did on NT 4.

Thank you.
Click to expand...

I hate those emperial ports. You can force it thru the reg. Read up on it:

SendPort for DNS (is what you need to know about):
http://www.microsoft.com/windows200...2000/techinfo/reskit/en-us/regentry/95408.asp

Read up on this. In part 3 there's info about the SendOnNonDnsPort.
Some more info on reg entries for DNS:
198410 - Microsoft DNS Server Registry Parameters, Part 3 of 3:
http://support.microsoft.com/?id=198410
198409 - Microsoft DNS Server Registry Parameters, Part 2 of 3:
http://support.microsoft.com/?id=198409
198408 - Microsoft DNS Server Registry Parameters, Part 1 of 3:
http://support.microsoft.com/?id=198408

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
RV> We want to protect a DNS server throu[gh] ACLs, the problem is:

The problem is that you don't understand what you are doing and why.
Ephemeral ports are a good thing. What you are supposedly protecting your DNS
server from is response spoofing. But part of what makes responses difficult
(albeit not very difficult - The DNS protocol was not well designed.) to spoof
is that an attacker has to guess both message ID and local port number. If
you fix the local port number, in the way that you are wanting to, all that an
attacker has to do is guess the message ID. You merely make the attack quite
a lot easier.

<URL:http://cr.yp.to/djbdns/forgery.html>
 
Back
Top