| Groups | Blog | Home |
iis security : TCP/IP Filtering and DNS problems
I have just recently set up IIS Server Windows 2k advanced
server. The server has 16 IP addresses assigned to it in a class c with a subnet mask of 255.255.255.0 (I guess this is obvious) for each of the proposed web sites and e-mail server and DNS. I was given 2 DNS address from the ISP (which I ping well to and they work consistently on the next server on the rack. On installation and testing the network configuration all seems fine, I am able to browse the internet msn, yahoo, and such from this server. Also able to see the web server and it receives e-mail properly and Terminal Services (remote admin mode) works fine. I thought that I should first filter the TCP/IP to close off all unneeded ports. So I added ports 25, 53, 80, 110 & 3389 to the TCP Ports list TCP/IP filtering and 53 to UDP Ports with both(TCP AND UDP) "Permit Only" checked and Permit All on IP Protocols. This then required a restart. I restarted the server and I can still log in with terminal services. The server still receives e-mail. The web sites are all still accessible. But I am not able to browse the internet from the server (my test for checking the DNS lookup ability) I can not go to any site unless I specify an IP address. I thought I had a handle on this but now I feel confused. I removed the TCP/IP FILTERS and it worked again so I know the basic TCP/IP configuration is right but does anyone have any incite or advice to why the DNS would seem to drop out by applying the above filters? Thanks in advance, Glenn if any other information is required to decipher this issue please ask.
I don't think DNS is having problem.
it because you don't allow any source port to bind locally. e.g. IE source port to remote web server port 80. try ping at command prompt, see if it resolve to IP address for the domain you like to browse. -- Regards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ [quoted text, click to view] "Glenn" <anonymous@discussions.microsoft.com> wrote in message news:1ea9c01c456c9$585865e0$a301280a@phx.gbl... > I have just recently set up IIS Server Windows 2k advanced > server. The server has 16 IP addresses assigned to it in a > class c with a subnet mask of 255.255.255.0 (I guess this > is obvious) for each of the proposed web sites and e-mail > server and DNS. I was given 2 DNS address from the ISP > (which I ping well to and they work consistently on the > next server on the rack. > > On installation and testing the network configuration all > seems fine, I am able to browse the internet msn, yahoo, > and such from this server. Also able to see the web server > and it receives e-mail properly and Terminal Services > (remote admin mode) works fine. > > I thought that I should first filter the TCP/IP to close > off all unneeded ports. So I added ports 25, 53, 80, 110 & > 3389 to the TCP Ports list TCP/IP filtering and 53 to UDP > Ports with both(TCP AND UDP) "Permit Only" checked and > Permit All on IP Protocols. This then required a restart. > > I restarted the server and I can still log in with > terminal services. The server still receives e-mail. The > web sites are all still accessible. But I am not able to > browse the internet from the server (my test for checking > the DNS lookup ability) I can not go to any site unless I > specify an IP address. > > I thought I had a handle on this but now I feel confused. > I removed the TCP/IP FILTERS and it worked again so I know > the basic TCP/IP configuration is right but does anyone > have any incite or advice to why the DNS would seem to > drop out by applying the above filters? > > Thanks in advance, > Glenn > > if any other information is required to decipher this > issue please ask. >
actually i dont understand what you mean. I explained that
i opened the specific ports in the tcp/ip filtering and that is what seems to cause the problem. DNS works normaly but when i only leave the ports for web(80) e-mail(25&110) ftp(21) and DNS (tcp & udp 53) i get no dns activity. it is like dns just stops. I am able to ping directly ie: ping 216.116.*.* pings fine.. but on pinging a specific site ie "ping yahoo.com" i get nothing so i wonder what else dns needs open to work. I have allways understood that DNS only needs port 53. am i worong? also if i put a direct address for a outside website ie yahoo.com's direct ipaddress it works fine so the ports are properly open for the application. it just seems that dns is shut down. thanks again. Glenn [quoted text, click to view] >-----Original Message-----
>I don't think DNS is having problem. >it because you don't allow any source port to bind locally. >e.g. IE source port to remote web server port 80. > >try ping at command prompt, see if it resolve to IP address >for the domain you like to browse. > >-- >Regards, >Bernard Cheah >http://www.tryiis.com/ >http://support.microsoft.com/ >http://www.msmvps.com/bernard/ > > > >"Glenn" <anonymous@discussions.microsoft.com> wrote in message >news:1ea9c01c456c9$585865e0$a301280a@phx.gbl... >> I have just recently set up IIS Server Windows 2k advanced >> server. The server has 16 IP addresses assigned to it in a >> class c with a subnet mask of 255.255.255.0 (I guess this >> is obvious) for each of the proposed web sites and e- >> server and DNS. I was given 2 DNS address from the ISP >> (which I ping well to and they work consistently on the >> next server on the rack. >> >> On installation and testing the network configuration all >> seems fine, I am able to browse the internet msn, yahoo, >> and such from this server. Also able to see the web server >> and it receives e-mail properly and Terminal Services >> (remote admin mode) works fine. >> >> I thought that I should first filter the TCP/IP to close >> off all unneeded ports. So I added ports 25, 53, 80, 110 & >> 3389 to the TCP Ports list TCP/IP filtering and 53 to UDP >> Ports with both(TCP AND UDP) "Permit Only" checked and >> Permit All on IP Protocols. This then required a restart. >> >> I restarted the server and I can still log in with >> terminal services. The server still receives e-mail. The >> web sites are all still accessible. But I am not able to >> browse the internet from the server (my test for checking >> the DNS lookup ability) I can not go to any site unless I >> specify an IP address. >> >> I thought I had a handle on this but now I feel confused. >> I removed the TCP/IP FILTERS and it worked again so I know >> the basic TCP/IP configuration is right but does anyone >> have any incite or advice to why the DNS would seem to >> drop out by applying the above filters? >> >> Thanks in advance, >> Glenn >> >> if any other information is required to decipher this >> issue please ask. >> > > >.
I was saying, when you using IE locally, it can not bind local port XXXX
which connect destination port 80 on remote host. Do a simple, test, try ping www.yahoo.com, do you see IP reply ? what was the dns server you configure in your tcp/ip properties ? -- Regards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ [quoted text, click to view] "Glenn" <anonymous@discussions.microsoft.com> wrote in message news:1ff3301c45883$67b56e00$a401280a@phx.gbl... > actually i dont understand what you mean. I explained that > i opened the specific ports in the tcp/ip filtering and > that is what seems to cause the problem. DNS works normaly > but when i only leave the ports for web(80) e-mail(25&110) > ftp(21) and DNS (tcp & udp 53) i get no dns activity. it > is like dns just stops. I am able to ping directly ie: > ping 216.116.*.* pings fine.. but on pinging a specific > site ie "ping yahoo.com" i get nothing so i wonder what > else dns needs open to work. I have allways understood > that DNS only needs port 53. am i worong? also if i put a > direct address for a outside website ie yahoo.com's direct > ipaddress it works fine so the ports are properly open for > the application. it just seems that dns is shut down. > thanks again. > Glenn > > > >-----Original Message----- > >I don't think DNS is having problem. > >it because you don't allow any source port to bind > locally. > >e.g. IE source port to remote web server port 80. > > > >try ping at command prompt, see if it resolve to IP > address > >for the domain you like to browse. > > > >-- > >Regards, > >Bernard Cheah > >http://www.tryiis.com/ > >http://support.microsoft.com/ > >http://www.msmvps.com/bernard/ > > > > > > > >"Glenn" <anonymous@discussions.microsoft.com> wrote in > message > >news:1ea9c01c456c9$585865e0$a301280a@phx.gbl... > >> I have just recently set up IIS Server Windows 2k > advanced > >> server. The server has 16 IP addresses assigned to it > in a > >> class c with a subnet mask of 255.255.255.0 (I guess > this > >> is obvious) for each of the proposed web sites and e- > >> server and DNS. I was given 2 DNS address from the ISP > >> (which I ping well to and they work consistently on the > >> next server on the rack. > >> > >> On installation and testing the network configuration > all > >> seems fine, I am able to browse the internet msn, yahoo, > >> and such from this server. Also able to see the web > server > >> and it receives e-mail properly and Terminal Services > >> (remote admin mode) works fine. > >> > >> I thought that I should first filter the TCP/IP to > close > >> off all unneeded ports. So I added ports 25, 53, 80, > 110 & > >> 3389 to the TCP Ports list TCP/IP filtering and 53 to > UDP > >> Ports with both(TCP AND UDP) "Permit Only" checked and > >> Permit All on IP Protocols. This then required a > restart. > >> > >> I restarted the server and I can still log in with > >> terminal services. The server still receives e-mail. The > >> web sites are all still accessible. But I am not able to > >> browse the internet from the server (my test for > checking > >> the DNS lookup ability) I can not go to any site unless > I > >> specify an IP address. > >> > >> I thought I had a handle on this but now I feel > confused. > >> I removed the TCP/IP FILTERS and it worked again so I > know > >> the basic TCP/IP configuration is right but does anyone > >> have any incite or advice to why the DNS would seem to > >> drop out by applying the above filters? > >> > >> Thanks in advance, > >> Glenn > >> > >> if any other information is required to decipher this > >> issue please ask. > >> > > > > > >. > >
I believe the issue is that when you try to resolve an address via dns, your system sends a udp (random port) -> (53) request to the dns server. Since udp is connectionless, the response comes back (53) -> (random port) which your filter drops. You can add a filter that accepts a source of udp 53 and a destination of any port, but that opens you up to anyone who wants to send you packets with a source port of 53. Refining your rule to limit it to a particular ip address (eg the ip of your dns server) will help, but, since udp is connectionless, someone hacking udp could fake the source address if they know the ip of your dns server. I've never found a really good solution to this, beyond putting the web server behind a firewall (or adding a 2nd nic which is behind the firewall and using the firewall as the dns server and permitting udp as described above on that nic to that server). Of course, the only "surfing" I do from the web site is to windows update. I'd wonder why you would care about securing your system so tightly and then go surfing off to yahoo etc.
[quoted text, click to view] "Bernard" wrote:
> I was saying, when you using IE locally, it can not bind local port XXXX > which connect destination port 80 on remote host. > > Do a simple, test, try ping www.yahoo.com, do you see IP reply ? > what was the dns server you configure in your tcp/ip properties ? > > > -- > Regards, > Bernard Cheah > http://www.tryiis.com/ > http://support.microsoft.com/ > http://www.msmvps.com/bernard/ > > > > "Glenn" <anonymous@discussions.microsoft.com> wrote in message > news:1ff3301c45883$67b56e00$a401280a@phx.gbl... > > actually i dont understand what you mean. I explained that > > i opened the specific ports in the tcp/ip filtering and > > that is what seems to cause the problem. DNS works normaly > > but when i only leave the ports for web(80) e-mail(25&110) > > ftp(21) and DNS (tcp & udp 53) i get no dns activity. it > > is like dns just stops. I am able to ping directly ie: > > ping 216.116.*.* pings fine.. but on pinging a specific > > site ie "ping yahoo.com" i get nothing so i wonder what > > else dns needs open to work. I have allways understood > > that DNS only needs port 53. am i worong? also if i put a > > direct address for a outside website ie yahoo.com's direct > > ipaddress it works fine so the ports are properly open for > > the application. it just seems that dns is shut down. > > thanks again. > > Glenn > > > > > > >-----Original Message----- > > >I don't think DNS is having problem. > > >it because you don't allow any source port to bind > > locally. > > >e.g. IE source port to remote web server port 80. > > > > > >try ping at command prompt, see if it resolve to IP > > address > > >for the domain you like to browse. > > > > > >-- > > >Regards, > > >Bernard Cheah > > >http://www.tryiis.com/ > > >http://support.microsoft.com/ > > >http://www.msmvps.com/bernard/ > > > > > > > > > > > >"Glenn" <anonymous@discussions.microsoft.com> wrote in > > message > > >news:1ea9c01c456c9$585865e0$a301280a@phx.gbl... > > >> I have just recently set up IIS Server Windows 2k > > advanced > > >> server. The server has 16 IP addresses assigned to it > > in a > > >> class c with a subnet mask of 255.255.255.0 (I guess > > this > > >> is obvious) for each of the proposed web sites and e- > > >> server and DNS. I was given 2 DNS address from the ISP > > >> (which I ping well to and they work consistently on the > > >> next server on the rack. > > >> > > >> On installation and testing the network configuration > > all > > >> seems fine, I am able to browse the internet msn, yahoo, > > >> and such from this server. Also able to see the web > > server > > >> and it receives e-mail properly and Terminal Services > > >> (remote admin mode) works fine. > > >> > > >> I thought that I should first filter the TCP/IP to > > close > > >> off all unneeded ports. So I added ports 25, 53, 80, > > 110 & > > >> 3389 to the TCP Ports list TCP/IP filtering and 53 to > > UDP > > >> Ports with both(TCP AND UDP) "Permit Only" checked and > > >> Permit All on IP Protocols. This then required a > > restart. > > >> > > >> I restarted the server and I can still log in with > > >> terminal services. The server still receives e-mail. The > > >> web sites are all still accessible. But I am not able to > > >> browse the internet from the server (my test for > > checking > > >> the DNS lookup ability) I can not go to any site unless > > I > > >> specify an IP address. > > >> > > >> I thought I had a handle on this but now I feel > > confused. > > >> I removed the TCP/IP FILTERS and it worked again so I > > know > > >> the basic TCP/IP configuration is right but does anyone > > >> have any incite or advice to why the DNS would seem to > > >> drop out by applying the above filters? > > >> > > >> Thanks in advance, > > >> Glenn > > >> > > >> if any other information is required to decipher this > > >> issue please ask. > > >> > > > > > > > > >. > > > > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |