Which ports not to block for DNS to work

[Bogdan]

Hi,

We've been trying to block 'unwanted' ports on our machines but have run
into problems with DNS. We let the traffic through port 53 but that does
not seem to be enough. That port is supposedly used by DNS servers. W2K
clients can connect to DNS servers on any [application] port.
Has anyone figured out wich ports are used by W2K machines when they connect
to DNS servers? Are they predictable?

We'd appreciate any info.

Thanks,
Bogdan.

 

[Steven L Umbach]

Dns clients which would include dns servers forwarding to the internet or using root
hints, need to have outbound access for port 53 upd enabled. --- Steve

 

[Steve Duff [MVP]]

Have you enabled both TCP and UDP 53?

You'll to open up "ephemeral" outgoing ports
1024 and up if you're blocking outbound since there's
no way to control the port selection for client queries.

Steve Duff, MCSE
Ergodic Systems, Inc.

 

[Bogdan]

We did have UPD 53 enabled. We did not allow any traffic on application
ports (above 1024) and that seemed to cause problems.
We have hundreds of W2K machines running 24x7 in a rather controlled
environment. The primary application that runs on them occasionally needs
to use HTTP and FTP protocols to transfer data from a server. In addition,
we use a pre-configured TCP port (above 1024) for our proprietary control
protocol. Our original plan was to use built-in TCP/IP filtering and
"Permit only" selected TCP/UDP ports (i.e. ports used by HTTP, FTP, DNS, and
our proprietary protocol). That seemed to work except for DNS queries.

Any other suggestions?

Thanks,
Bogdan

Dns clients which would include dns servers forwarding to the internet or using root
hints, need to have outbound access for port 53 upd enabled. --- Steve

Hi,

We've been trying to block 'unwanted' ports on our machines but have run
into problems with DNS. We let the traffic through port 53 but that does
not seem to be enough. That port is supposedly used by DNS servers. W2K
clients can connect to DNS servers on any [application] port.
Has anyone figured out wich ports are used by W2K machines when they connect
to DNS servers? Are they predictable?

We'd appreciate any info.

Thanks,
Bogdan.

 

[Bogdan]

Yes, we did have TCP and UDP 53 enabled. The blocked "ephemeral" outgoing
ports seemed to cause the problem. Since we cannot predict their values it
looks like we cannot simply use built-in TCP/IP filtering to secure our
machines.
Please see my reply to Steven above. I'd appreciate if you have further
suggestions.

Thanks,
Bogdan

Have you enabled both TCP and UDP 53?

You'll to open up "ephemeral" outgoing ports
1024 and up if you're blocking outbound since there's
no way to control the port selection for client queries.

Steve Duff, MCSE
Ergodic Systems, Inc.

Hi,

We've been trying to block 'unwanted' ports on our machines but have run
into problems with DNS. We let the traffic through port 53 but that does
not seem to be enough. That port is supposedly used by DNS servers. W2K
clients can connect to DNS servers on any [application] port.
Has anyone figured out wich ports are used by W2K machines when they connect
to DNS servers? Are they predictable?

We'd appreciate any info.

Thanks,
Bogdan.

 

[Jeff Cochran]

We've been trying to block 'unwanted' ports on our machines but have run
into problems with DNS. We let the traffic through port 53 but that does
not seem to be enough. That port is supposedly used by DNS servers. W2K
clients can connect to DNS servers on any [application] port.
Has anyone figured out wich ports are used by W2K machines when they connect
to DNS servers? Are they predictable?

TCP and UDP port 53, normally just outbound. But you shouldn't block
unwanted ports, you should block all ports and open only what you
need.

Jeff