Solved

TCP/IP Filtering + DNS Resolving Issue

Posted on 2010-09-17
11
627 Views
Last Modified: 2012-06-27
HI,

I have enabled TCP/IP Filtering on my Windows server 2003 to block the inbound traffic, I have enabled following ports in TCP/IP Filtering and Enabled TCP/IP Filtering
TCP ports: 20, 21, 25, 53, 80, 110, 143, 443, 807, 808, 1433, 3389, 5357, 8004, 8010 and 8011
UDP ports: 6514, 6515 and 6516
These ports I require.

One Strange Thing is happening that Now I am not able to resolve any DNS Name like google.com.
If I disable the TCP/IP Filtering then I can easily resolve the domain name google.com


Any one can help me in this matter. Server is on Remote location so I can't use any firewall software. I require to enable only TCP/IP Filtering.
0
Comment
Question by:tanujchandna
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 33699687
You should have UDP 53 Open also iirc.
0
 
LVL 9

Author Comment

by:tanujchandna
ID: 33699711
Hi

Forget to mentioned UDP port 53 is also enabled in Filtering.
0
 

Expert Comment

by:leonepeter
ID: 33699721
doesn't dns also use UDP port 53? try that
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 14

Expert Comment

by:Otto_N
ID: 33700588
DNS look-up works on UDP 53 also.  And, since it is UDP, it needs to be permitted in both directions: In- and outbound (if you filter outbound traffic as well).
0
 
LVL 14

Expert Comment

by:Otto_N
ID: 33700633
Sorry for my previous post: I only repeated what leonepeter said.  I think my mind is leaving me...

If you do allow both UDP and TCP port 53, please check if you still have a valid DNS server configured.  I assume you get your DNS through a static configuration?
0
 
LVL 14

Expert Comment

by:Otto_N
ID: 33700735
If you do not get your IP addressing via static configuration, but uses DHCP, you will also need to permit UDP 67 & 68.  Although it should only affect the DNS configuration when the DHCP lease expires, and will also affect IP addressing of the server.
0
 
LVL 9

Author Comment

by:tanujchandna
ID: 33700741
I am using Open DNS 208.67.222.222 and 208.67.220.220, Please understand when I disable TCP Filtering It works fine.
0
 
LVL 11

Expert Comment

by:kaskhedikar_tushar
ID: 33701446
Hello,

Why are you using open DNS? Get a static IP address from your ISP & configure in router.
Install & configure DNS server on windows server 2003 & add DNS in forwarders.
 
http://support.microsoft.com/kb/814591
http://support.microsoft.com/kb/816792

Regards,
Tushar Kaskhedikar
0
 
LVL 14

Expert Comment

by:Otto_N
ID: 33701689
OK, so it isn't via DHCP, and you do not need UDP 67 & 68.

I did a bit of research on the TCP/IP filtering functionality of Windows, and it seems that it block the packets based on its destination port number.  With a DNS query, the response would actually be directed not at TCP/UDP 53, but at an ephemeral port number, assigned from a dynamic range.  According to Microsoft's website, the range is from 1025 through 5000.

I would suggest that you permit this range as well, and see if it resolves your problem.  This would also allow any other return traffic for client processes on the server (i.e. if you want to open a web browser from the server).  Just take note that this could increase your security risk, but only if you have server processes litening in this range that should be blocked.
0
 
LVL 9

Accepted Solution

by:
tanujchandna earned 0 total points
ID: 33751103
I didn't found any solution, I have used IPSec instead of TCP/IP Filtering.
Thanks to All
0
 
LVL 14

Expert Comment

by:Otto_N
ID: 33767578
tanujchandna

If you do not like any of the proposed solutions, please request to have this question deleted, rather than leaving it open.  Or close it by accepting your own answer.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question