|
Home > Archive > IIS Server Security > July 2004 > TCP/IP Filtering and DNS problems
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
TCP/IP Filtering and DNS problems
|
|
| Glenn 2004-06-20, 10:36 pm |
| I have just recently set up IIS Server Windows 2k advanced
server. The server has 16 IP addresses assigned to it in a
class c with a subnet mask of 255.255.255.0 (I guess this
is obvious) for each of the proposed web sites and e-mail
server and DNS. I was given 2 DNS address from the ISP
(which I ping well to and they work consistently on the
next server on the rack.
On installation and testing the network configuration all
seems fine, I am able to browse the internet msn, yahoo,
and such from this server. Also able to see the web server
and it receives e-mail properly and Terminal Services
(remote admin mode) works fine.
I thought that I should first filter the TCP/IP to close
off all unneeded ports. So I added ports 25, 53, 80, 110 &
3389 to the TCP Ports list TCP/IP filtering and 53 to UDP
Ports with both(TCP AND UDP) "Permit Only" checked and
Permit All on IP Protocols. This then required a restart.
I restarted the server and I can still log in with
terminal services. The server still receives e-mail. The
web sites are all still accessible. But I am not able to
browse the internet from the server (my test for checking
the DNS lookup ability) I can not go to any site unless I
specify an IP address.
I thought I had a handle on this but now I feel confused.
I removed the TCP/IP FILTERS and it worked again so I know
the basic TCP/IP configuration is right but does anyone
have any incite or advice to why the DNS would seem to
drop out by applying the above filters?
Thanks in advance,
Glenn
if any other information is required to decipher this
issue please ask.
| |
| Bernard 2004-06-26, 10:16 am |
| I don't think DNS is having problem.
it because you don't allow any source port to bind locally.
e.g. IE source port to remote web server port 80.
try ping at command prompt, see if it resolve to IP address
for the domain you like to browse.
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Glenn" <anonymous@discussions.microsoft.com> wrote in message
news:1ea9c01c456c9$585865e0$a301280a@phx
.gbl...
> I have just recently set up IIS Server Windows 2k advanced
> server. The server has 16 IP addresses assigned to it in a
> class c with a subnet mask of 255.255.255.0 (I guess this
> is obvious) for each of the proposed web sites and e-mail
> server and DNS. I was given 2 DNS address from the ISP
> (which I ping well to and they work consistently on the
> next server on the rack.
>
> On installation and testing the network configuration all
> seems fine, I am able to browse the internet msn, yahoo,
> and such from this server. Also able to see the web server
> and it receives e-mail properly and Terminal Services
> (remote admin mode) works fine.
>
> I thought that I should first filter the TCP/IP to close
> off all unneeded ports. So I added ports 25, 53, 80, 110 &
> 3389 to the TCP Ports list TCP/IP filtering and 53 to UDP
> Ports with both(TCP AND UDP) "Permit Only" checked and
> Permit All on IP Protocols. This then required a restart.
>
> I restarted the server and I can still log in with
> terminal services. The server still receives e-mail. The
> web sites are all still accessible. But I am not able to
> browse the internet from the server (my test for checking
> the DNS lookup ability) I can not go to any site unless I
> specify an IP address.
>
> I thought I had a handle on this but now I feel confused.
> I removed the TCP/IP FILTERS and it worked again so I know
> the basic TCP/IP configuration is right but does anyone
> have any incite or advice to why the DNS would seem to
> drop out by applying the above filters?
>
> Thanks in advance,
> Glenn
>
> if any other information is required to decipher this
> issue please ask.
>
| |
| Glenn 2004-06-26, 10:16 am |
| actually i dont understand what you mean. I explained that
i opened the specific ports in the tcp/ip filtering and
that is what seems to cause the problem. DNS works normaly
but when i only leave the ports for web(80) e-mail(25&110)
ftp(21) and DNS (tcp & udp 53) i get no dns activity. it
is like dns just stops. I am able to ping directly ie:
ping 216.116.*.* pings fine.. but on pinging a specific
site ie "ping yahoo.com" i get nothing so i wonder what
else dns needs open to work. I have allways understood
that DNS only needs port 53. am i worong? also if i put a
direct address for a outside website ie yahoo.com's direct
ipaddress it works fine so the ports are properly open for
the application. it just seems that dns is shut down.
thanks again.
Glenn
>-----Original Message-----
>I don't think DNS is having problem.
>it because you don't allow any source port to bind
locally.
>e.g. IE source port to remote web server port 80.
>
>try ping at command prompt, see if it resolve to IP
address
>for the domain you like to browse.
>
>--
>Regards,
>Bernard Cheah
>http://www.tryiis.com/
>http://support.microsoft.com/
>http://www.msmvps.com/bernard/
>
>
>
>"Glenn" <anonymous@discussions.microsoft.com> wrote in
message
> news:1ea9c01c456c9$585865e0$a301280a@phx
.gbl...
advanced[vbcol=seagreen]
in a[vbcol=seagreen]
this[vbcol=seagreen]
mail[vbcol=seagreen]
all[vbcol=seagreen]
server[vbcol=seagreen]
close[vbcol=seagreen]
110 &[vbcol=seagreen]
UDP[vbcol=seagreen]
restart.[vbcol=seagreen]
checking[vbcol=seagreen]
I[vbcol=seagreen]
confused.[vbcol=seagreen]
know[vbcol=seagreen]
>
>
>.
>
| |
| Bernard 2004-06-26, 10:16 am |
| I was saying, when you using IE locally, it can not bind local port XXXX
which connect destination port 80 on remote host.
Do a simple, test, try ping www.yahoo.com, do you see IP reply ?
what was the dns server you configure in your tcp/ip properties ?
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Glenn" <anonymous@discussions.microsoft.com> wrote in message
news:1ff3301c45883$67b56e00$a401280a@phx
.gbl...[vbcol=seagreen]
> actually i dont understand what you mean. I explained that
> i opened the specific ports in the tcp/ip filtering and
> that is what seems to cause the problem. DNS works normaly
> but when i only leave the ports for web(80) e-mail(25&110)
> ftp(21) and DNS (tcp & udp 53) i get no dns activity. it
> is like dns just stops. I am able to ping directly ie:
> ping 216.116.*.* pings fine.. but on pinging a specific
> site ie "ping yahoo.com" i get nothing so i wonder what
> else dns needs open to work. I have allways understood
> that DNS only needs port 53. am i worong? also if i put a
> direct address for a outside website ie yahoo.com's direct
> ipaddress it works fine so the ports are properly open for
> the application. it just seems that dns is shut down.
> thanks again.
> Glenn
>
>
> locally.
> address
> message
> advanced
> in a
> this
> mail
> all
> server
> close
> 110 &
> UDP
> restart.
> checking
> I
> confused.
> know
| |
|
| I believe the issue is that when you try to resolve an address via dns, your system sends a udp (random port) -> (53) request to the dns server. Since udp is connectionless, the response comes back (53) -> (random port) which your filter drops. You can ad
d a filter that accepts a source of udp 53 and a destination of any port, but that opens you up to anyone who wants to send you packets with a source port of 53. Refining your rule to limit it to a particular ip address (eg the ip of your dns server) will
help, but, since udp is connectionless, someone hacking udp could fake the source address if they know the ip of your dns server. I've never found a really good solution to this, beyond putting the web server behind a firewall (or adding a 2nd nic which
is behind the firewall and using the firewall as the dns server and permitting udp as described above on that nic to that server). Of course, the only "surfing" I do from the web site is to windows update. I'd wonder why you would care about securing you
r system so tightly and then go surfing off to yahoo etc.
"Bernard" wrote:
> I was saying, when you using IE locally, it can not bind local port XXXX
> which connect destination port 80 on remote host.
>
> Do a simple, test, try ping www.yahoo.com, do you see IP reply ?
> what was the dns server you configure in your tcp/ip properties ?
>
>
> --
> Regards,
> Bernard Cheah
> http://www.tryiis.com/
> http://support.microsoft.com/
> http://www.msmvps.com/bernard/
>
>
>
> "Glenn" <anonymous@discussions.microsoft.com> wrote in message
> news:1ff3301c45883$67b56e00$a401280a@phx
.gbl...
>
>
>
| |
| neung11 2004-07-11, 12:14 am |
| i recommend to use IpSec to filter the required ports instead of TCP/IP Filtering.
But if you want to use TCP/IP Filtering, also use IpSec together.
For your problem, set the TCP/IP Filtering as below
TCP allow port 53
UDP allow all port
Fot IpSec, set as below:
Allow TCP and UDP port 53 from and to your server.
Also make the mirror rules. |
|
|
|
|