Jump to content

IP Security Policies wont all DNS 53 pass through ?


Recommended Posts

Guest Scott
Posted

Hi,

 

On Windows 2003 64 bit server i run the following test

 

telnet <dns ip> 53

i connect ok to a remote dns server.

 

I created a PACKET FILTER policy.

Within this policy i have created the RULE "DNS".

Within this rule i have a DNS filter.

 

Filter is setup as follows:

source = any ipaddress

destination = any ip address

protocol = tcp

from = any

to = 53

saved/applyed

 

I now assigned the policy and try

telnet <dns ip> 53

 

It fails to connect to the remote DNS server.

 

If i unasigned the policy it works again.

 

Why does my policy fail to allow DNS to pass through ?

 

(Have used gpudate to flush just incase but ASSIGN then UNASSIGN clearly

shows the 2 states failing / working).

 

Thanks for any advice.

Scott

  • Replies 1
  • Created
  • Last Reply

Popular Days

Guest Herb Martin
Posted

Re: IP Security Policies wont all DNS 53 pass through ?

 

 

"Scott" <scott_lotus@yahoo.co.uk> wrote in message

news:ObVa%23HErIHA.1772@TK2MSFTNGP03.phx.gbl...

> Hi,

>

> On Windows 2003 64 bit server i run the following test

>

> telnet <dns ip> 53

> i connect ok to a remote dns server.

 

Do note that telnet is a TCP (only) utility and that DNS

resolution is mostly UDP.

 

NetCat (free on the Internet) is a much better tool for

non-TCP services and even for TCP stuff too.

> I created a PACKET FILTER policy.

> Within this policy i have created the RULE "DNS".

> Within this rule i have a DNS filter.

>

> Filter is setup as follows:

> source = any ipaddress

> destination = any ip address

> protocol = tcp

> from = any

> to = 53

> saved/applyed

>

> I now assigned the policy and try

> telnet <dns ip> 53

 

Are these RRAS filters or IPSec? Are you allowing, deny,

or (for IPSec only) negotiating IPSec?

> It fails to connect to the remote DNS server.

>

> If i unasigned the policy it works again.

> Why does my policy fail to allow DNS to pass through ?

 

Did you build an IPSec policy yourself, use Kerberos as the

authentication method, and block Kerberos perhaps?

 

(The default policies all use Kerberos authentication AND

exempt Kerberos from the IPSec requirement.)

> (Have used gpudate to flush just incase but ASSIGN then UNASSIGN clearly

> shows the 2 states failing / working).

 

IPSecMon might be of use. Turn on Account Logon auditing and

monitor authentication when you are working with Kerberos

authenticated IPSec.


×
×
  • Create New...