UDP Port 53 DNS Scans

  • Thread starter Thread starter Jocab
  • Start date Start date
J

Jocab

I have a Windows Server 2003 with DNS at a provider. I have set that
DNS should only work on one IP adres, say 1.2.3.4. The server has 2
adresses, 1.2.3.4 and 1.2.3.5. On my firewall, I have only enabled
traffic on port 53 UDP/TCP to 1.2.3.4. However, I'm still getting
requests from an orsn.net host at 1.2.3.5. Is this normal? How can I
stop these?

Thanks
 
Is that server listed (as an A record) under both addresses?

If the NS points to DNS1, and DNS1 A record points to *.3 and *.4 then
you can expect requests on both addresses.
 
If the zone on the DNS server is AD integrated or the zone matches that of your AD domain, it will automatically poplulate the
zone will all IP addresses on the server. There are a few ways to prevent this. If the zone is not the zone used by AD but is AD
integrated, change the zone type to Standard primary and remove all references to the second IP address. Make sure that you
remove the NS record that includes the 1.2.3.5 address as well. If the zone is your AD zone, then you must disable dynamic
updates on the server and manually configure all the records. To do this please refer to: 178148 How to Disable Dynamic DNS
Registration http://support.microsoft.com/?id=178148


Thank you,
Mike Johnston
Microsoft Network Support
--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the
terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from
which they originated.
 
J> I'm still getting requests from an orsn.net host at 1.2.3.5.

That's very probably untrue. Look at the DNS traffic with a packet dumping
tool. You'll very probably find that the datagrams are _responses_, not
queries. In which case, you should be asking yourself why _you_ are sending
query datagrams out from that IP address, that are then being responded to.
 
Back
Top