inbound dns ports

[bshbsh]

I under stand that DNS uses port 53, tcp for zone transfer and udp for queries. But what port should be open inbound on my Windows box to recieve the queries. When I set up the IP filter in Windows 2003, I am unable to do nslookup. When I remove the IP filter (in tcp/ip properties), then it works fine. Basically the filter allows only http traffic inside. Everything else is blocked.
Please advice.
Thanks

 

[ITPangaeaArchitect]

are we talking a standlone DNS server here, or a DC running DNS?

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+
Manager - Global AD Operations
ACS, Inc.

 

[bshbsh]

Actually, I have both in 2 different segments. What would be the case in with wither scenario. Please advice.
Thanks.

 

[Serbtastic]

Your filter should include packets with source port 53 (which is what a DNS query will respond on).

 

[bshbsh]

Do you mean allow inbound port 53. Is it UDP, TCP or both? Any other ports like Netbios?
Thanks.

 

[ITPangaeaArchitect]

Technically all you need opened is 53 UDP, however, it is better practice from a domain standpoint to open both TCP and UDP.

If you are putting an IP filter on a DC, then you are making a BIG mistake and putting yourself into a technically unsupportable scenario. You should NEVER put IP filtering directly on a DC NIC...very VERY bad juju. That is why I asked if DCs or member servers running DNS.

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+
Manager - Global AD Operations
ACS, Inc.

 

[bshbsh]

No, I dont have filters on the DC/AD. Sorry for the confusion.
I have filters only on the webserver that is requesting the nslookup. So what ports should be open on the webserver to do nslookup?
Thanks,

 

[ITPangaeaArchitect]

Ah ok sweet Had me worried

Try 53 UDP, 53 TCP, 135 TCP, 1024-65535 TCP

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+
Manager - Global AD Operations
ACS, Inc.

 

[bshbsh]

Wow!! I need all these ports open inbound on the webserver to be able receive DNS query results such as NSLookup?
Any particular reason for all these ports?
Thanks.

 

[ITPangaeaArchitect]

If you are using the web server as a DNS server, then 53 is the port DNS is operating over. In looking at some traces I took of an nslookup though, I see source and destination ports of 2003, and 2004, which are in the RPC ephemeral range. Not quite sure why that's happening.

53 UDP should technically be all that's needed...I put 135 for RPC calls, in case any were being made, but none showed in the trace, so 135 shouldn't be needed. s a test, try opening 53 UDP and 1024-5000 just to see if that works.

My real suggestion is to utilize something like ISA to filter the traffic before the destination...even ISA server running on a VM....it would allow you to have web server rules and highly restrict traffic without all the configuration worries you are having here...and it could be done where your environment is exponentially expandable

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+
Manager - Global AD Operations
ACS, Inc.

 

[ChrisAC]

TCP 53 is also used for queries if the reply from the UDP query is truncated.

Chris.


**********************
Chris A.C, CCNA, CCSA
**********************

 

[elgrandeperro]

To do OUTBOUND query, all you need is destination 53 tcp/udp, the source port will be a high port on your side (>1024).

 

[bshbsh]

Thanks for all the info. But I just want to clarify again that I am looking for ports that should be open on the inbound to recieve dns query request.
Tx.

 

[elgrandeperro]

I think we have a disconnect on direction. If you are internal, and trying to get DNS resolution, your requests go OUTBOUND to destination port 53 sourced from a high port, and return (of course) from the remote source port 53 to your high port. This is considered OUTBOUND because we initiated the traffic.

The only time you would open port 53 INBOUUND (to your DNS server) is if it were authoritative for a zone (either forward or reverse). Then you would allow 53 tcp/udp to that server and use ACLs to restrict it to queries for the zone it is auth for.

 

[bshbsh]

Re, "If you are internal, and trying to get DNS resolution, your requests go OUTBOUND to destination port 53 sourced from a high port, and return (of course) from the remote source port 53 to your high port. "
-> This is exactly why I am confused. Thats how a typical firewall should behave. I am using the IP filter from TCP/IP properties to only let required ports like inbound 80 on the webserver. But when I do this the server is unable to recieve dns query info like when I do nslookup.
When I remove the filter, everything is back to normal. Thats why I wondered if I need to open any other inbound TCP, UDP, or ICMP to be opened on the web server.
Thanks.

 

[elgrandeperro]

When you say you are unable to nslookup, are you using the server as a client or are you on the server itself? My reading of the windows 2003 ip filtering is that this should not affect the outbound ports, it is only designed to affect inbound ports.

 

[bshbsh]

I am using the server as a client.
I agree with you on the behaviour of Win IP filters. But it is not behaving as it should.
Tx.

 

[elgrandeperro]

Is this box the DNS server ?

Try (with the filter on and off)

> nslookup

http://www.yahoo.com

127.0.0.1

Even if the packet is for itself, perhaps it still processing through the inbound filter?

Then with filter on

> nslookup

http://www.yahoo.com

127.0.0.1
and
> nslookup

http://www.yahoo.com

NETWORKIPADDRESS

 

[ITPangaeaArchitect]

-> This is exactly why I am confused. Thats how a typical firewall should behave. "

typically a decent firewall will be capable of stateful packet filtering where any request over a certain port will allow the response requested (may be bad way of explaining it). So most current firewalls would allow the high range ports automatically...
TCP/IP filtering will require they be opened manually.

If you turn off filtering, then take a trace from the client and server side at the same time, make your dns request, stop the trace, then filter it for the 2 IPs, you should be able to see how those high range ports are used.
If you save those, then repeat the process with ctp/ip filtering on, you will see what port is causing the blockage....

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+
Manager - Global AD Operations
ACS, Inc.

 

[bshbsh]

I will check and post back.
Btw, "Is this box the DNS server ?" --> No.
Thanks.