Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 448
  • Last Modified:

Secure DNS Zone XFR

I am setting up my own DNS servers on the Internet instead of using my ISP for DNS.  I am using win2k3 server with the Microsoft DNS server.  I setup the primary and secondary servers and secured them according to Microsoft's whitepapers.  The secondary server will not zone XFR if I enable TCP/IP Filtering and restrict it to UDP and TCP port 53.  If I remove TCP/IP filtering the zone XFR works just fine.  Why?
0
theonlymikec
Asked:
theonlymikec
  • 5
  • 3
1 Solution
 
bbaoIT ConsultantCommented:
which option you have checked, "Permit All" or "Permit Only"? you should choose the later one. btw, please dont forget that this will also disable all other incoming requests to the server, which is commonly not recommended though it seems much secure.
0
 
theonlymikecAuthor Commented:
bbao - thanks for replying.  I have selected "permit only".  I know this will disable all other incoming requests - this in ONLY a DNS server and I don't want anything else being accessed.  It works fine as a DNS server when I lock it down except for the fact that it won't zone xfr to the secondary.  I collected packet captures using Network Monitor and I can't see where it is using anything other than 53 when all ports are opened up....There must be something dumb I'm missing......
0
 
bbaoIT ConsultantCommented:
you should also enable the TCP port 53 for transfering DNS.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
bbaoIT ConsultantCommented:
you should also enable the TCP port 53 for transferring DNS.
0
 
theonlymikecAuthor Commented:
No offense but.......did you read my original post?  I did that.  When I restrict the server to only udp and tcp port 53, zone xfr fails but dns quereis work properly.  If I remove the restrictions (permit all udp and tcp) the zone xfr works fine.

In an effort to secure this server in a different way, I used the "Internet connection firewall" and only allow ICMP, UDP-53 and TCP-53.  Looking at the log file, I can see that only port 53 is being processed and other connection attempts (135, 139....) are being dropped.  With this enabled zone xfrs work properly.  Maybe I'll just leave it like this......
0
 
bbaoIT ConsultantCommented:
hi, try permit only 6 and 17 for IP protocols, see here for more information:

How to configure TCP/IP Filtering in Windows Server 2003
http://support.microsoft.com/kb/816792

btw, although TCPIP filtering works in kernel mode, but it seems that MS still recommends users to use built-in firewall for most security tasks. as what you experienced, ICF works well wth your DNS server, currently.
0
 
bbaoIT ConsultantCommented:
grade C? does it work or not? please give us more feedback.
0
 
theonlymikecAuthor Commented:
It is now a production server and I can't make changes during the day.  I will try the 6 & 17 IP protocol suggestion but I like the solution I came up with and you agreed with - that is, to use ICF.  I felt that agreeing with my answers is "average".  Thanks for the commentary.

MIKEC
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now