Announcement

Collapse
No announcement yet.

How to Configuer DNS Behind a Windows Firewall?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to Configuer DNS Behind a Windows Firewall?

    I have some problem while I'm joining a Client P.C into a Domain. If the Windows Firewall is On, I'm able to get the Authintcation Dialog Box to type the Username and Password. But, this Authintcation it takes a while and eventually getting Error message says:
    The Specifed Server cannot perform the requested operation.

    While, if the Windows Firewall is Off the Operations Successfull. In the Excptions List, I have Forward the Ports which are given below by Microsoft but still the problem is same.

    However, nowadays can't stand without double firewall to protect the environment. So, I can't turn if Off.

    Could u suggest something please?

    Code:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;323380
    Code:
    How to Configure DNS Behind a Firewall
    Proxy and Network Address Translation (NAT) devices can restrict access to ports. DNS uses UDP port 53 and TCP port 53. The DNS Service Management console also uses RCP. RCP uses port 135. These are potential issues that may occur when you configure DNS and firewalls.

    Habibalby
    ================================
    HND: Higher National Diploma in
    Computer Science(IT)


    Passed:
    MCSA+Security 2003, VCP3, VCP4
    Done:VMware DSA
    ================================[/COLOR]

  • #2
    Re: How to Configuer DNS Behind a Windows Firewall?

    which ports do you currently allow?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: How to Configuer DNS Behind a Windows Firewall?

      UDP 53 and TCP 53. The Scope was on Any Computer and I changed also to My Network Subnet. But no luck, still same problem.
      ================================
      HND: Higher National Diploma in
      Computer Science(IT)


      Passed:
      MCSA+Security 2003, VCP3, VCP4
      Done:VMware DSA
      ================================[/COLOR]

      Comment


      • #4
        Re: How to Configuer DNS Behind a Windows Firewall?

        I don't think this has anything to do with DNS resolution as you have connected to the server thus the authentication box.

        Have a look here

        Comment


        • #5
          Re: How to Configuer DNS Behind a Windows Firewall?

          Hi Mate,

          I went though this Artical and I identified that all my configuration is fine. I have done some testing by the commands which they have given and result is working fine too.

          The only think that came in my mind is, this server is configured as a DC, DNC, DHCP, FileServer, WINS and Print Server.

          Since it's forward the clients to the DNS requested and provides DHCP, sure I have a problem in the Firewall.

          And to do it right, I have to use RRAS "Remote and Routing Access" as well as NAT "Network Access Trasalation" in order to use the Internal Firewall in the NAT.

          While the ICS "Internet Connection Shaing" is on, and I'm insiting to Turn On the Built-in Firewall in Win2k3 sure the clients will have to have a problem in accessing the Internet as well as when I join a New Computer into a Domain, even when the TCP and UDP 53 Port is forwarded as well as TCP and UDP 1024 is forwarded.


          So, better off to configuer RRAS "Remote and Routing Access" and use NAT with Built-in Firewall in order to impletement more secured Network.

          But, can I implement the RRAS using One NIC ? Since it's going to provide access to the Private LAN and External Network such as the Internet?

          Thanks,

          Habibalby
          ================================
          HND: Higher National Diploma in
          Computer Science(IT)


          Passed:
          MCSA+Security 2003, VCP3, VCP4
          Done:VMware DSA
          ================================[/COLOR]

          Comment


          • #6
            Re: How to Configuer DNS Behind a Windows Firewall?

            But is it possible to configuer a NAT with a Dynamic Public IP Adress and then use a Dynamic Update Client to update my IP ?

            Thanks,

            Habibalby
            ================================
            HND: Higher National Diploma in
            Computer Science(IT)


            Passed:
            MCSA+Security 2003, VCP3, VCP4
            Done:VMware DSA
            ================================[/COLOR]

            Comment


            • #7
              Re: How to Configuer DNS Behind a Windows Firewall?

              The windows firewall will NOT block outgoing traffic. It will only block incoming.

              Thus for DNS to work correctly you need to have port 53 open on your firewalls.

              Are you doing this on a domain??

              Comment


              • #8
                Re: How to Configuer DNS Behind a Windows Firewall?

                Yes, I'm in a Domain also, please check my thired post. I have mentioned that I have forwarded the UDP 53 and TCP 53 But still same problem.

                Is it becuase of the ICS enabled through this server that's why i cannot enable the Firewall ?

                Thanx,

                habibalby
                ================================
                HND: Higher National Diploma in
                Computer Science(IT)


                Passed:
                MCSA+Security 2003, VCP3, VCP4
                Done:VMware DSA
                ================================[/COLOR]

                Comment


                • #9
                  Re: How to Configuer DNS Behind a Windows Firewall?

                  Dear habibalby!
                  You have checked things that are useless and cause every one to be confused.Do not go further for changes on windows firewall settings.
                  I hoped Others would help you but it's so simple to solve.
                  Keypoint: You have denied Specific UDP port which is used
                  for Domain Registration

                  Comment


                  • #10
                    Re: How to Configuer DNS Behind a Windows Firewall?

                    Originally posted by S2002
                    Dear habibalby!
                    You have checked things that are useless and cause every one to be confused.Do not go further for changes on windows firewall settings.
                    I hoped Others would help you but it's so simple to solve.
                    Keypoint: You have denied Specific UDP port which is used
                    for Domain Registration

                    Why I'm confusing everyone The Server which I have is acting the following services:

                    1.DC
                    2.File & Print Server
                    3.Forwarding DNS Queries
                    4.DHCP
                    5.Wins
                    6.Terminal Server

                    Since the Server doing the above services it requiers some ports to be forwarded in order to function correctly, am I right ?

                    DHCP - UDP 2535
                    DHCP - UDP 67
                    DNS - TCP 53
                    DNS - UDP 53
                    High DNS - TCP 1024
                    High DNS - UDP 1024
                    File and Print Sharing - TCP 139 TCP 445,135
                    File and Print Sharing - UDP 137 UDP 138,135

                    These ports are in the excption list for these services to function correctly.

                    What else?
                    ================================
                    HND: Higher National Diploma in
                    Computer Science(IT)


                    Passed:
                    MCSA+Security 2003, VCP3, VCP4
                    Done:VMware DSA
                    ================================[/COLOR]

                    Comment


                    • #11
                      Re: How to Configuer DNS Behind a Windows Firewall?

                      Just read through all your posts again.

                      When you Disbale ICS you can access eveything perfectly including the internet??

                      How exactly do you connect to the net?? Do you use a router as well as ICS??

                      I think the problem is the fact that ICS acts as a mini DHCP server and will try to dish out IP addresses in the range of 192.168.0.0/24. This MAY or MAY not clash with your exisiting IP address.

                      Comment


                      • #12
                        Re: How to Configuer DNS Behind a Windows Firewall?

                        ping server from client and ping client from server.What is the result.
                        ICMP eco on/off
                        good luck

                        Comment


                        • #13
                          Re: How to Configuer DNS Behind a Windows Firewall?

                          Originally posted by habibalby
                          Why I'm confusing everyone The Server which I have is acting the following services:

                          1.DC
                          2.File & Print Server
                          3.Forwarding DNS Queries
                          4.DHCP
                          5.Wins
                          6.Terminal Server

                          Since the Server doing the above services it requiers some ports to be forwarded in order to function correctly, am I right ?

                          DHCP - UDP 2535
                          DHCP - UDP 67
                          DNS - TCP 53
                          DNS - UDP 53
                          High DNS - TCP 1024
                          High DNS - UDP 1024
                          File and Print Sharing - TCP 139 TCP 445,135
                          File and Print Sharing - UDP 137 UDP 138,135

                          These ports are in the excption list for these services to function correctly.

                          What else?
                          Where on earth did you get these numbers from????

                          Are you sure you know what you're doing? Try to disable the FW and then see what happens.

                          Second, you must be joking when you say that you're using ICS in a domain environment. Aren't you? ICS???????? Do you know what ICS does to your network? Look at one of your computers, run IPCONFIG /ALL and see what settings it got, and what is the DNS address for that computer.

                          Read my lips: Drop ICS!!!
                          Cheers,

                          Daniel Petri
                          Microsoft Most Valuable Professional - Active Directory Directory Services
                          MCSA/E, MCTS, MCITP, MCT

                          Comment


                          • #14
                            Re: How to Configuer DNS Behind a Windows Firewall?

                            Yes, I do use an ADSL Router with the ICS! Where it's enabled by default in win2k3.

                            When I disable it Still i can access the internet also becuase the DHCP Server dishes the ADSL Router IP as a Default Gateway. The DHCP in the ADSL Router is disabled.

                            Pinging the IP's from the clinets, yes I can ping successfuly and vice versa.

                            danielp, I got these ports from Microsoft Website. When I disable the Firewall, i can add clients to the Domain successfuly without any problem.

                            IPConfig /All Result from the member server:
                            Code:
                            Windows IP Configuration
                            
                               Host Name . . . . . . . . . . . . : Srv-2
                               Primary Dns Suffix  . . . . . . . : kuku.co.il
                               Node Type . . . . . . . . . . . . : Unknown
                               IP Routing Enabled. . . . . . . . : Yes
                               WINS Proxy Enabled. . . . . . . . : Yes
                               DNS Suffix Search List. . . . . . : kuku.co.il
                                                                   co.il
                            
                            Ethernet adapter Local Area Connection:
                            
                               Connection-specific DNS Suffix  . :
                               Description . . . . . . . . . . . : SiS 900-Based PCI Fast Ethernet Adapter
                               Physical Address. . . . . . . . . : 00-C0-9F-81-DC-CA
                               DHCP Enabled. . . . . . . . . . . : No
                               IP Address. . . . . . . . . . . . : 192.168.1.3
                               Subnet Mask . . . . . . . . . . . : 255.255.255.0
                               Default Gateway . . . . . . . . . : 192.168.1.254
                               DNS Servers . . . . . . . . . . . : 192.168.1.1
                                                                   192.168.1.3
                               Primary WINS Server . . . . . . . : 192.168.1.1
                            
                            D:\Documents and Settings\Administrator.KUKU>
                            ================================
                            HND: Higher National Diploma in
                            Computer Science(IT)


                            Passed:
                            MCSA+Security 2003, VCP3, VCP4
                            Done:VMware DSA
                            ================================[/COLOR]

                            Comment


                            • #15
                              Re: How to Configuer DNS Behind a Windows Firewall?

                              If you are using a router then you have absolutely no need to use ICS also.

                              ICS in a domain is no good.

                              Comment

                              Working...
                              X