?
Solved

Secure DNS Zone XFR

Posted on 2005-03-08
8
Medium Priority
?
416 Views
Last Modified: 2013-12-23
I am setting up my own DNS servers on the Internet instead of using my ISP for DNS.  I am using win2k3 server with the Microsoft DNS server.  I setup the primary and secondary servers and secured them according to Microsoft's whitepapers.  The secondary server will not zone XFR if I enable TCP/IP Filtering and restrict it to UDP and TCP port 53.  If I remove TCP/IP filtering the zone XFR works just fine.  Why?
0
Comment
Question by:theonlymikec
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 13495211
which option you have checked, "Permit All" or "Permit Only"? you should choose the later one. btw, please dont forget that this will also disable all other incoming requests to the server, which is commonly not recommended though it seems much secure.
0
 

Author Comment

by:theonlymikec
ID: 13495505
bbao - thanks for replying.  I have selected "permit only".  I know this will disable all other incoming requests - this in ONLY a DNS server and I don't want anything else being accessed.  It works fine as a DNS server when I lock it down except for the fact that it won't zone xfr to the secondary.  I collected packet captures using Network Monitor and I can't see where it is using anything other than 53 when all ports are opened up....There must be something dumb I'm missing......
0
 
LVL 37

Expert Comment

by:bbao
ID: 13496033
you should also enable the TCP port 53 for transfering DNS.
0
Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

 
LVL 37

Expert Comment

by:bbao
ID: 13496045
you should also enable the TCP port 53 for transferring DNS.
0
 

Author Comment

by:theonlymikec
ID: 13496119
No offense but.......did you read my original post?  I did that.  When I restrict the server to only udp and tcp port 53, zone xfr fails but dns quereis work properly.  If I remove the restrictions (permit all udp and tcp) the zone xfr works fine.

In an effort to secure this server in a different way, I used the "Internet connection firewall" and only allow ICMP, UDP-53 and TCP-53.  Looking at the log file, I can see that only port 53 is being processed and other connection attempts (135, 139....) are being dropped.  With this enabled zone xfrs work properly.  Maybe I'll just leave it like this......
0
 
LVL 37

Accepted Solution

by:
bbao earned 1000 total points
ID: 13496688
hi, try permit only 6 and 17 for IP protocols, see here for more information:

How to configure TCP/IP Filtering in Windows Server 2003
http://support.microsoft.com/kb/816792

btw, although TCPIP filtering works in kernel mode, but it seems that MS still recommends users to use built-in firewall for most security tasks. as what you experienced, ICF works well wth your DNS server, currently.
0
 
LVL 37

Expert Comment

by:bbao
ID: 13497995
grade C? does it work or not? please give us more feedback.
0
 

Author Comment

by:theonlymikec
ID: 13499324
It is now a production server and I can't make changes during the day.  I will try the 6 & 17 IP protocol suggestion but I like the solution I came up with and you agreed with - that is, to use ICF.  I felt that agreeing with my answers is "average".  Thanks for the commentary.

MIKEC
0

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
An article on effective troubleshooting
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question