IP Security Policies wont all DNS 53 pass through ?

  • Thread starter Thread starter Scott
  • Start date Start date
S

Scott

Guest
Hi,

On Windows 2003 64 bit server i run the following test

telnet <dns ip> 53
i connect ok to a remote dns server.

I created a PACKET FILTER policy.
Within this policy i have created the RULE "DNS".
Within this rule i have a DNS filter.

Filter is setup as follows:
source = any ipaddress
destination = any ip address
protocol = tcp
from = any
to = 53
saved/applyed

I now assigned the policy and try
telnet <dns ip> 53

It fails to connect to the remote DNS server.

If i unasigned the policy it works again.

Why does my policy fail to allow DNS to pass through ?

(Have used gpudate to flush just incase but ASSIGN then UNASSIGN clearly
shows the 2 states failing / working).

Thanks for any advice.
Scott
 
Re: IP Security Policies wont all DNS 53 pass through ?


"Scott" <scott_lotus@yahoo.co.uk> wrote in message
news:ObVa%23HErIHA.1772@TK2MSFTNGP03.phx.gbl...
> Hi,
>
> On Windows 2003 64 bit server i run the following test
>
> telnet <dns ip> 53
> i connect ok to a remote dns server.

Do note that telnet is a TCP (only) utility and that DNS
resolution is mostly UDP.

NetCat (free on the Internet) is a much better tool for
non-TCP services and even for TCP stuff too.

> I created a PACKET FILTER policy.
> Within this policy i have created the RULE "DNS".
> Within this rule i have a DNS filter.
>
> Filter is setup as follows:
> source = any ipaddress
> destination = any ip address
> protocol = tcp
> from = any
> to = 53
> saved/applyed
>
> I now assigned the policy and try
> telnet <dns ip> 53

Are these RRAS filters or IPSec? Are you allowing, deny,
or (for IPSec only) negotiating IPSec?

> It fails to connect to the remote DNS server.
>
> If i unasigned the policy it works again.
> Why does my policy fail to allow DNS to pass through ?

Did you build an IPSec policy yourself, use Kerberos as the
authentication method, and block Kerberos perhaps?

(The default policies all use Kerberos authentication AND
exempt Kerberos from the IPSec requirement.)

> (Have used gpudate to flush just incase but ASSIGN then UNASSIGN clearly
> shows the 2 states failing / working).

IPSecMon might be of use. Turn on Account Logon auditing and
monitor authentication when you are working with Kerberos
authenticated IPSec.
 
Back
Top