Link to home
Start Free TrialLog in
Avatar of pendal1
pendal1Flag for United States of America

asked on

DNS servers are not listening on port 53...

when i ran the netstat -a -n -p tcp and check if our dns servers were listening on port 53 - none of them are.  Here's the output I received for port 53:  0.0.0.0:53.  I'm assuming the dns server should occupy that ip address space.  I checked and the firewall (windows that is) is turned off on the dns servers and I don't see anything in the virus protection blocking port 53.  Guys, how do I get these servers listening on port 53 to internal queries but so that they do not listen to queries from the internet.  Is that the way the dns server should be configured?  Your expertise and help are greatly appreciated.
This question arises because when a site with only one dc (also the preferred dns server) is unavailable (although there are secondary dns servers listed for clients) that site is unable to logon to the network.  Am I right is assuming this is because the other DNS servers are not listening to port 53.  Anyway. hope that makes sense.  You guys will make me look good to the boss with this one.
Avatar of karwak
karwak

So you mean the output of netstat gives you a line with 0.0.0.0:53 on that dns server? This would mean that your dns server is up and running, listening for dns queries on all interfaces (ip's) available. If you want to listen only on one ip, e.g. your internal one, you have to configure the dns server according to that.
Avatar of pendal1

ASKER

karwak, how are dns servers typically configured.  Should they listen for queries on all ips available or only on the internal one.  I'm a beginner so could you please explain what it means for the dns server to listen for queries on all ips available as opposed to its internal one.  Thanks for your quick response.
Avatar of Chris Dent

Hi there,

It's UDP Port 53 you need to look for, you would expect to see:

UDP    IPAddress:53    *:*
UDP    127.0.0.1:53     *:*

Or an entry for each address.

TCP is used for Zone Transfers and little else, you don't need your DNS Server to listen for that. UDP is used for standard queries.

If your DNS Server is also behaving as an internet gateway it would be useful to have it only listen on the Internal IP Address.

If it's behind a Firewall and that's already blocking inbound traffic there's no need to change the DNS Server.

Chris
Avatar of pendal1

ASKER

Chris-Dent, thank you very much for the reply.  I will run netstat -a -n -p udp and I'll let you know the results.  
Chris, on your second point about the server, and in my case dns servers, acting as internet gateways, let me see if I understand.  Right now we don't have a forwarder setup for one of our isp's internet name servers.  That will be setup shortly.  So yes the dns servers on our network have to act as the internet gateways because they have to handle queries for web sites, etc outside of our domain.  In other words, if a user enters google.com, our dns server checks its zone - it obviously won't have the ip address so it has to go to an internet name server who then refers to a .com server and then finally a server authoritative for google.   I hope I have that correct.  I know it was recommended to us by a consultant to setup a forwarder with our isp's name server but that hasn't happened yet so our local dns servers just have the internet name servers in the root hints.
Chris, the reason I was asking this question to begin with is because when one of our site DCs goes down, and we only have one DC per site and it's also the preferred dns server (but secondary dns servers are listed) the clients can't log onto the network.  I know clients use dns to find DCs so I was basically pointed in this direction.  Your help on this would be greatly appreciated.  I noticed you have a ton of experience in this area and you would be a great resource.  Anyway, I'll run the netstat command and try annd get you the output for that.  Please stay tuned.
Avatar of pendal1

ASKER

chris-dent, I ran netstat -a -n -p udp and I received the output you listed.  THere were two entries for port 53:
udp dnsserverip:53
udp 127.0.0.1:53
I know someone else recommended I try and telnet from a client to a dns server (one of our secondary dns servers)  but nothing happens.  Telnet is enabled on the server so I'm not sure what I may be missing.  Telnet with the ip address appears in the cmd prompt heading but no connection is made.  when i just try and telnet ip address, i receive a message that the telnet server has closed the connection.  Anyway, hope this helps your evaluation of my issue chris.
Avatar of pendal1

ASKER

Chris, I was at one of our sites today (a school) after business hrs and powered off the DC.  Again, this DC is also the preferred dns server but there are secondary dns servers listed for the clients in this site.  This site only has one DC.  After powering off the DC, I was able to log onto the domain.  Does this mean the clients are contacting secondary dns servers to locate DCs in other sites to log onto the network or am I logging on with an account that is already cached on the network.  I logged on with accounts I have logged on with in the past.  Thanks Chris.
ps - I tried to e-mail you but no luck.  

Hey again,

> ... name server who then refers to a .com server and then finally a server authoritative for google. ...
> I hope I have that correct.

You do, I think.

That's the process when using Root Hints, that is, with no Forwarders configured.

But that's separate from the Internet Gateway function. The DNS Server won't need to listen for requests on the external IP in that scenario because external clients won't be executing requests (we hope).

> I try and telnet from a client to a dns server (one of our secondary dns servers)  but nothing
> happens.  Telnet is enabled on the server so I'm not sure what I may be missing.  

Telnet uses TCP, UDP is connectionless so it has no meaning to Telnet. That's why it's not letting you connect.

You would be better using PortQry:

http://www.microsoft.com/Downloads/details.aspx?familyid=89811747-C74B-4638-A2D5-AC828BDC6983&displaylang=en

Then running:

PortQry -n <server> -e 53 -p UDP -i

> Does this mean the clients are contacting secondary dns servers to locate DCs in other
> sites to log onto the network or am I logging on with an account that is already cached
> on the network.

They should be, yes. As long as they have a valid DNS Server listed and a DC available not too far away to handle authentication requests.

Cached Credentials should also work if no DCs are available. In this case you may find it beneficial to use "Always wait for network at computer startup and logon". This changes Windows XP back to using Synchronous Logon, it's default is Asynchronous which can cause some very odd problems. It's set in Group Policy under Computer Configuration \ Administrative Templates \ System \ Logon.

Chris
Avatar of pendal1

ASKER

Hi Chris.
"But that's separate from the Internet Gateway function. The DNS Server won't need to listen for requests on the external IP in that scenario because external clients won't be executing requests (we hope)."
Chris, could you explain the internet gateway function further.  I understand what you're saying about our dns server not listening for requests on google's ip address from external clients - I think.
Chris, other than a few sites, most of the DCs are in seperate sites.  Is there a way to test if I'm logging on with a cached account or am I actually authenticating with a dc in another site - if need be.  Do I need to simply create a new test account in this scenario to elimate the possibility of the account having been cached?
Chris, why do you prefer the synchronous logon with cached credentials?  Just curious.
And chris do you recommend setting up a forwarder to our isp's name server.  Does it really save on bandwidth on dns server utilization?
Chris, I know I've asked a lot of questions.  You're time and expertise are greatly appreciated.  I'm still learning so I'm trying to understand and get things setup right.  I could go on and on with the questions.  Thanks again, Chris.



> internet gateway function further

The job of an internet gateway is to route IP traffic between two networks (in this case your internal network and your ISPs so it can go out to the internet). In many cases this includes performing NAT (Network Address Translation). In simple implementations that'll be outbound NAT so all clients within a private network appear to connect as the gateway.

Generally the gateway also performs Firewall functions to protect your network, and in some cases Proxy functions (as we see with software like MS ISA Server) which cache web content to keep traffic on the more expensive connection down.

DNS will use that Gateway as well to get it's requests out onto the internet, but the DNS server itself doesn't actually need to have a public side.

Heading off to bed, but can explain further in the morning if necessary. IP Routing and IP Security are big topics, a little big for tonight :)

> Is there a way to test if I'm logging on with a cached account or am I actually
> authenticating with a dc in another site - if need be.  

Perhaps the easiest way will be to run "echo %logonserver%" on the command line. If it just comes back with %logonserver% you'll be using Cached Credentials.

> why do you prefer the synchronous logon with cached credentials?  Just curious.

For every logon. It doesn't exhibit some of the bizarre problems I've seen with Asynchronous mode, such as failure to logon with cached credentials (when all access to servers is down) and failure to correctly map a home drive set in the account (maps one level higher). There are more, you can probably blame it for any odd inexplicable logon problem ;)

> And chris do you recommend setting up a forwarder to our isp's name server.  
> Does it really save on bandwidth on dns server utilization?

Marginally. The original recommendations for that date back to when everyone was connecting with Modems. Still, there's something to be said for trying to keep down the load on the Root DNS Servers.

Personally though, I'm selfish, I don't like my name resolution going through other peoples systems. I can't control them and it's bound to annoy me at some point, therefore I use Root Hints by preference.

Chris
Avatar of pendal1

ASKER

Thanks Chris.  You're really a big help and obviously very knowledgeable.  Any chance you're available as a private consultant - say for me for example :)
Thanks for the clarification about the internet gateway.  My experience is limited but I've never heard of a DNS server also being the internet gateway.  I know that gateways are assoicated with routers and that they serve fiirewall and Nat functions but I didn't know about the proxy capability.  Chris, is that common to have these gateways or routers performing so many functions or is it a natural considering they connect subnets and lans and lans and ISPs.

Thanks a lot for that tip with the echo %logonserver%.  Jesus does that make it easy for me to test.  Just for clarification - if that command comes back with a DC name - that server authenticated the client.  If the command returns just the %logonserver% or the computer name - I've logged on with a cached credential?  
I'll also recommend to my boss logging on with synchronous mode.  We can configure that with a GPO and push it out  - if he's interested.
Chris, you don't seem to enthusiastic about the forwarder.  Let me put it to you this way.  If we had someone with your knowledge of DNS,  I would agree with you and leave well enough alone and use the root hints.  I'm mixed on that one.  Bandwidth gain is marginal and a reduced load on the dns servers seems to be the biggest gain.

Chris, I promise to close this question tomorrow.  You've been a tremendous help.

.  
0.0.0.0:53 means listening on all interfaces.
To prove this, switch off any firewalls on the server and use telnet to establish a connection to the port:
telnet <ip_address> 53
If you get a connection (i.e.: it doesn't just close immediately) something is listening on port 53.

You cannot telnet into a UDP port, it's simply not possible. DNS listens for requests on UDP Port 53, not TCP Port 53.

DNS listens for Zone Transfer requests on TCP Port 53, but that really isn't the same thing, it doesn't tell you whether or not DNS is listening for requests.

Chris
SOLUTION
Avatar of elf_bin
elf_bin

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of pendal1

ASKER

Thanks for joining in the discussion elf bin.
Chris, please take a look at my post last night.  Just want to make sure, for example, I'm reading the output for echo %logonserver% correctly.  
Thanks guys.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of pendal1

ASKER

Chris-dent - Thank you so much for your time and expertise and patience.  Your help is greatly appreciated.  Chris, do you have an e-mail available where you can be alerted of questions on this site for example.  I would never abuse it but understand if you don't want to give it out.  Thanks again Chris.
Thanks to the rest of the gang as well.

You're welcome. My e-mail is listed in my profile, it's a bit obscured, but I've made it a little more clear now.

Chris