IP security -- filtering TCP/UDP ports

I'm the admin of a small NT network. There's these machines that I need to block access to certain ports to (including quake 27500 and maybe www 80).

So what I did was --- in the TCP/IP protocol tab, under "advanced", I clicked on "enable security" and configured it to allow certain port numbers (which I deemed necessary).

Now, the problem is ... I need DNS to work. It worked before I started mucking with the TCP security. Anyway, as according to RFC 1700, I included port 53 in the list of "allow"ed ports in both TCP and UDP. After rebooting, the stupid system refuses to resolve domain names properly.

Some other pointers that might help in the diagnosis are: I did enable port 23 and port 7 ... so telnet (from the test machine to my Linux box) and ping (both to and from the test machine) do work. my dns servers are big unix monsters 'upstream' from my domain. and dns works again if i disable the security and reboot.

Can you tell me why DNS won't work on NT with TCP security enabled but with TCP/UDP port 53 "allowed"? Has MS implemented some funky way of resolving domain names that circumvents the open standard? Most importantly, *how* do I go about getting this to WORK?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

atan111Author Commented:
Edited text of question
If I'm not mistaken, you need to enable traffic on ports 42, 43, and 53 to get DNS server to work.
atan111Author Commented:
actually, the entire list of ports i've already enabled traffic on so far are:

1,2,3,7,22,23,37,38,39,42,43,51,52,53,54,56 (decided to enable a few more around the 50 area to test it), 80, 88, 92, 6000-6020 (for x-windows)

so the dns still doesn't work. well... any other takers?
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

Just asking. Do you enabled IP protocol (17) ?
atan111Author Commented:
you mean enabling UDP over IP? well, I left the part on IP port filtering as "allow all" -- i.e. only filtering the TCP and UDP ports. so the answer is "yes", I suppose.
atan111Author Commented:
Adjusted points to 172
atan111Author Commented:
Adjusted points to 200
atan111Author Commented:
Adjusted points to 220
atan111Author Commented:
Adjusted points to 235
Some things to check:  are your dns servers (or your nt machine) behind a firewall?  if so you will need to proxy to your dns servers.  if that doesn't work, you can always take the long way around finding the solution by enabling all ports, and disabling them one at a time until you find the problematic port.  my guess is that you should allow all ports, and disable only those that need to be disabled (e.g. 27500 and maybe 80).  hope this helps.
atan111Author Commented:
no, my dns servers are not behind any firewall. i know the setup works with ALL ports allowed.

the cinch is ... Win NT 4.0 only allows you to "allow all" or "allow only" rather than "disalbe only" ... which is rather irritating (yes, i have already thought of your idea myself ...) -- enabling ports one at a time seems like an impossible task (gee ... there are ... what? unlimited potential numbers of ports ... especially since I have to *REBOOT* (dang Win NT) each time I do this ... sheesh)
To my knowledge, Microsoft DNS supports the following RFCs:
1033, 1034, 1035, 1101, 1123, 1183 and 1536.

There's nothing about the 1700! So perhaps, you just have to wait for a better MS solution with a later version of Windows NT.
atan111Author Commented:
as far as I know, DNS requires port 53 ... and this was specified before RFC 1700 (which only specifies registered port numbers, not DNS queries)

what I want to know is -- if M$ does use unspecified methods of resolving DNS queries, what are the port numbers they use? (so I can ... well ... make it work)
I'd log a $200 priority support call and let them stew over it.  It'd be worth it to see how silly that call would be.  Probbably waste a few days of your time working with MS though.
I think this is a good question. Why haven't MS given these information when they actually, have made the whole thing the opposite of what it should have been? The only thing I can imagine for a good reason to do it this way is this - to be able to make a secure environment ("enable security"), you are standing better with zero ports as default. You are in control, and only you decide which ports to be open over the net. By the way, I think it would have been nice to find some help file with information about the ports which are open without the "enable security" to make a difference to this. At least, a "Default security" button on the "enable security" dialog window, would have been nice...

Good luck.
Probably I didn't read the question and the follow-ups completely but I have one basic question.  Are you trying to make the DNS work or the Microsoft DNS Server to work?
I mean is your NT box a MS DNS Server?

atan111Author Commented:
no, snimmaga, the NT boxes are not DNS servers. what I'm trying to do is get the domain name resolving to work ... using my usual DNS servers (big chunky UNIX boxes, btw, which I'm not an admin of).

I've changed the ports that I've "allow"ed since then -- now it's 7,22,23,25,37,38,42,43,52-56,80,88,92,109-110,123,137-139,177,546-547,1512,2064,6000-6020 ...

but DNS resolving still doesn't work ... :(
atan111Author Commented:
Adjusted points to 300
atan111Author Commented:
well, still no takers? *sigh*
I tried the "enable security" in NT with same results. No way with this rudimentary filtering features. I suggest to install RRAS, which is better by far for filtering and more. And RRAS is free.
Anyhow, I learned that with actual MS products there is no way for real, strong firewall. If needed, try some dedicated firewall for NT (bucks required).
atan111Author Commented:
RRAS? whazzat? where do you get it? (if i sound stupid, it's because of a lack of sleep)
RRAS (Routing and Remote Access Server) can be freely downloaded from Microsoft.
URL: http://www.microsoft.com/communications/routing&ras.htm

atan111Author Commented:
hmm.... sorin, RRAS seems kewl (i'm waiting for the multiple reboots for it to install properly ... geez, Linux doesn't need half this many reboots...)

but ...

it refuses to install on the Workstations! now, i wish i could give partial points out but my main problem is with the workstations... any more ideas? (how about hacks to make the workstations look like servers?... hmm)

back to testing...
Maybe Unixe-s don't want many reboots, but other things ...
Yes, unfortunately RRAS requires NT Server, but I suggest to use server anyway, otherwise you will be denied to install many other software (BackOffice components, etc). More than that, I recommend BackOffice or Small Bussiness BackOffice. Maybe you already know, but BackOffice is a great deal, it is cheap and it gives allmost all system software you need for a network. A similar Unix solution as BackOffice it's more expensive by far.
atan111Author Commented:
i can't get money to turn each and every NT 4.0 Wks into a NT 4.0 Server ... just so that I can use RRAS for IP filtering ... there *should* be a suitable way to configure the Wks for the IP filtering (that avoids the crap about "enable security")

in any case, i don't want to start an OS holy war, but for most of what BackOffice offers ...
Exchange server -- sendmail/Qmail on Linux is way cheaper (free can't be beat) and works better
proxy server -- have you heard of Squid?

and ... and ... my small network doesn't justify shelling out for possibly unnecessary expenses (my webserver runs on Apache 1.2.5 on Linux and I use sendmail 8.8.8 ... Samba on Linux actually runs as my fileserver ... i mean, yeah, i'd use NT for fileserving, but you'd gotta be crazy to run a fileserver without user quotas built into the system...)

there you go. my Linux spiel for the day (commercial Unix is mucho more expensive, i admit)
Happy linuxing ! I admire the enthuziasts.
Exchange is not e-mail only, it is a communication server. If you need network fax+telex+inmarsat (3rd party Exchange based, but it gives us a total communication solution) and team-work support, etc ...
What about SQL Server ? Business database it is a must.
We need also the SNA Server for the AS/400.
BOffice has also IIS, Proxy, SMS included.
And Small Business BackOffice is quite affordable, best for a small network (under 25 users).
Are you using DHCP ?
atan111Author Commented:
RebosMan: nope.
You can also try checking the "Enable DNS for Windows Resolution" item under the WINS tab in TCP/IP properties.  This tells WinNT to use DNS for Windows name resolution.  It could help because your problem could be related to the order that Windows NT uses different services to resolve host names.  Probably not, but it's worth a shot.

You can also troubleshoot this better by using the network monitor on the NT Machines.  You install it by adding the Network Monitor and Agent service to your Services tab in Network Properties.  This tool can be used to capture the packets that are sent back and forth between the machines.

Try the configuration change that I suggested and see if it helps.  If it doesn't we can take this to the next step by actually capturing a DNS name resolution with the network monitor.

Atan don't spend the time, there is no way with default NT "enable security". Use RRAS and NT Server.
The port 53 is ok for DNS, but when you choose to disable all but port 53, you are going for troubles. Windows NT needs other ports for communication, like some of the one's you already mentioned, and some more (depending on which services you want running on your computer).

About, the security. It's not enough to keep the allowed ports to a minimum, you actually need to know which services are running on which protocols using which ports.

I don't think RRAS would do any better than a reinstallation of TCP/IP. But, by using RRAS, you can get security by using the PPTP protocol.

I think if you, started all over by uninstalling the TCP/IP, then reinstalling TCP/IP, setting the ports you want to open, by using the "enable security" button, you can add services after this. Then, I think the services will show up some indications, if there is any problems using them. The advantage you get is obviously a less complex space for troubleshooting the error.

Today, you have the opposite troubleshooting situation. I think I want to bet my money on number 17 on the roulette, rather than continuing in your trail. Change strategy.

If you want to solve this without guessing any more, the only way to do it is to actually LOOK at what is REALLY happening instead of going around in circles.  The only way to do this is to capture the DNS name resolution process with a network monitor.  You will be able to see all of the IP and UDP packets.  You will be able to see which ports are really being used.  It will let you determine once and for all, what is going on.  All of this other garbage is just wasting time and is pure conjecture.

atan111Author Commented:
nice try for the points, hkp. hmm... this thread is getting stupid. i can't divide the points giving up, huh?

yeah. i'll try the network sniffing next (should have thought of it earlier... sheesh) ... i suspect WinNT tries to make outgoing ports in the range 1000-1200 (incrementally and all that kinda crap) ... based on my experience on my home Win95 machine (gotta change it to Linux someday soon ... and actually learn something from the ground up instead of trying to figure out what the MS-product is doing...)

i suspect the packet sniffing will work. will try it out tomorrow
;-) Good luck, you gonna need it. huh?
port numbers for well-known services as defined by
 RFC 1060 (Assigned Numbers) are as follows .Check with urs.
service            service name aliases comment
name              /<protocol>
systat             11/tcp
systat             11/tcp    users
daytime            13/tcp
daytime            13/udp
netstat            15/tcp
qotd               17/tcp    quote
qotd               17/udp    quote
chargen            19/tcp    ttytst source
chargen            19/udp    ttytst source
ftp-data           20/tcp
ftp                21/tcp
telnet             23/tcp
smtp               25/tcp    mail
time               37/tcp    timserver
time               37/udp    timserver
rlp                39/udp    resource      # resource location
name               42/tcp    nameserver
name               42/udp    nameserver
whois              43/tcp    nicname       # usually to sri-nic
domain             53/tcp    nameserver    # name-domain server
domain             53/udp    nameserver
nameserver         53/tcp    domain        # name-domain server
nameserver         53/udp    domain
mtp                57/tcp                  # deprecated
bootp              67/udp                  # boot program server
tftp               69/udp
rje                77/tcp    netrjs
finger             79/tcp
link               87/tcp    ttylink
supdup             95/tcp
hostnames         101/tcp    hostname      # usually from sri-nic
iso-tsap          102/tcp
dictionary        103/tcp    webster
x400              103/tcp                  # ISO Mail
x400-snd          104/tcp
csnet-ns          105/tcp
pop               109/tcp    postoffice
pop2              109/tcp                  # Post Office
pop3              110/tcp    postoffice
portmap           111/tcp
portmap           111/udp
sunrpc            111/tcp
sunrpc            111/udp
auth              113/tcp    authentication
sftp              115/tcp
path              117/tcp
uucp-path         117/tcp
nntp              119/tcp    usenet        # Network News Transfer
ntp               123/udp    ntpd ntp      # network time protocol (exp)
nbname            137/udp
nbdatagram        138/udp
nbsession         139/tcp
NeWS              144/tcp    news
sgmp              153/udp    sgmp
tcprepo           158/tcp    repository    # PCMAIL
snmp              161/udp    snmp
snmp-trap         162/udp    snmp
print-srv         170/tcp                  # network PostScript
vmnet             175/tcp
load              315/udp
vmnet0            400/tcp
sytek             500/udp
biff              512/udp    comsat
exec              512/tcp
login             513/tcp
who               513/udp    whod
shell             514/tcp    cmd           # no passwords used
syslog            514/udp
printer           515/tcp    spooler       # line printer spooler
talk              517/udp
ntalk             518/udp
efs               520/tcp                  # for LucasFilm
route             520/udp    router routed
timed             525/udp    timeserver
tempo             526/tcp    newdate
courier           530/tcp    rpc
conference        531/tcp    chat
rvd-control       531/udp    MIT disk
netnews           532/tcp    readnews
netwall           533/udp                  # -for emergency broadcasts
uucp              540/tcp    uucpd         # uucp daemon
klogin            543/tcp                  # Kerberos authenticated rlogin
kshell            544/tcp    cmd           # and remote shell
new-rwho          550/udp    new-who       # experimental
remotefs          556/tcp    rfs_server rfs# Brunhoff remote filesystem
rmonitor          560/udp    rmonitord     # experimental
monitor           561/udp                  # experimental
garcon            600/tcp
maitrd            601/tcp
busboy            602/tcp
acctmaster        700/udp
acctslave         701/udp
acct              702/udp
acctlogin         703/udp
acctprinter       704/udp
elcsd             704/udp                  # errlog
acctinfo          705/udp
acctslave2        706/udp
acctdisk          707/udp
kerberos          750/tcp    kdc           # Kerberos authentication--tcp
kerberos          750/udp    kdc           # Kerberos authentication--udp
kerberos_master   751/tcp                  # Kerberos authentication
kerberos_master   751/udp                  # Kerberos authentication
passwd_server     752/udp                  # Kerberos passwd server
userreg_server    753/udp                  # Kerberos userreg server
krb_prop          754/tcp                  # Kerberos slave propagation
erlogin           888/tcp                  # Login and environment passing
kpop             1109/tcp                  # Pop with Kerberos
phone            1167/udp
ingreslock       1524/tcp
maze             1666/udp
nfs              2049/udp                  # sun nfs
knetd            2053/tcp                  # Kerberos de-multiplexor
eklogin          2105/tcp                  # Kerberos encrypted rlogin
rmt              5555/tcp    rmtd
mtb              5556/tcp    mtbd          # mtb backup
man              9535/tcp                  # remote man server
w                9536/tcp
mantst           9537/tcp                  # remote man server, testing
bnews           10000/tcp
rscs0           10000/udp
queue           10001/tcp
rscs1           10001/udp
poker           10002/tcp
rscs2           10002/udp
gateway         10003/tcp
rscs3           10003/udp
remp            10004/tcp
rscs4           10004/udp
rscs5           10005/udp
rscs6           10006/udp
rscs7           10007/udp
rscs8           10008/udp
rscs9           10009/udp
rscsa           10010/udp
rscsb           10011/udp
qmaster         10012/tcp
qmaster         10012/udp


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

with the same prob btw
You see, no answer to the question. At least, I tried to answer the best I could.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.