In
posted their thoughts said:
53 using UDP and TCP (both) covers DNS so something
else is wrong.
Actually you'll unfortunately need those dynamic ports opened too that
Windows uses, that BIND doesn't use. 1024-65534., unless there is something
else configured that's not mentioned, such as that the forwarders are
configured properly, he's only pointing to his own server, what direction
opened, who is the source and who is the destingation ports configured in
IPSec filters, etc.
If pointing to his DNS, and the filters allow internal Windows machines to
access it with those wide ports, and the filters are allowing two way
communication from the destination DNS (the Forwarder) to itself, and
reverse, then I wouldn't see a problem. If the filtering is just to the
external DNS, and not taking in consideration access from the clients, well,
that could be a problem too. If this is happening soley on the server, then
either the wide range is not opened and/or in the wrong direction or only in
one direction.
I find it easier to use a firewall. IMHO, TCP filtering is overhead on the
machine. I would rather the firewall handle the traffic. On the firewall,
(depending on the brand), allow all "Established" for internal to outside
resources and the response to come in, and block all incoming (or just allow
what is needed to come in, if running any services).
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
