Tom's Hardware > Forum > Windows 2000/NT > Windows 2000/NT General Discussion > Ephemeral ports in Windows2000 (a way to fix the port for ..

Ephemeral ports in Windows2000 (a way to fix the port for ..

Forum Windows 2000/NT : Windows 2000/NT General Discussion - Ephemeral ports in Windows2000 (a way to fix the port for ..

Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions. Sign up now! Its free!
Ask the community Add a reply
Word :    Username :           
 
Anonymous   07-12-2004 at 04:41:46 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

 

Does anybody know how to fix the ports used for W2K when it queries root DNS
servers ?

We want to protect a DNS server throu ACLs, the problem is: according to the
Technet, W2K uses ephemeral ports (1024..5000) for such queries, which means
all that port range has to be open on the ACL, in order to permit the
entrance of the returning traffic throu the Router. We want that the DNS
server uses only a fixed port, let's say UDP 53, as it did on NT 4.

Thank you.

Add a reply
Sponsored Links
Register or log in to remove.
Anonymous   07-12-2004 at 08:08:25 PM
- 0 +

Archived from groups: microsoft.public.win2000.dns (More info?)

 

In news:%23opem8CaEHA.3476@tk2msftngp13.phx.gbl,
Roy Valenciano <royvalenciano@hotmail.com> asked for help and I offered my
suggestions below:
> Does anybody know how to fix the ports used for W2K when it queries
> root DNS servers ?
>
> We want to protect a DNS server throu ACLs, the problem is: according
> to the Technet, W2K uses ephemeral ports (1024..5000) for such
> queries, which means all that port range has to be open on the ACL,
> in order to permit the entrance of the returning traffic throu the
> Router. We want that the DNS server uses only a fixed port, let's say
> UDP 53, as it did on NT 4.
>
> Thank you.

I hate those emperial ports. You can force it thru the reg. Read up on it:

SendPort for DNS (is what you need to know about):
http://www.microsoft.com/windows20 [...] /95408.asp

Read up on this. In part 3 there's info about the SendOnNonDnsPort.
Some more info on reg entries for DNS:
198410 - Microsoft DNS Server Registry Parameters, Part 3 of 3:
http://support.microsoft.com/?id=198410
198409 - Microsoft DNS Server Registry Parameters, Part 2 of 3:
http://support.microsoft.com/?id=198409
198408 - Microsoft DNS Server Registry Parameters, Part 1 of 3:
http://support.microsoft.com/?id=198408

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================

Reply to Anonymous
Anonymous   07-15-2004 at 10:43:45 PM
- 0 +

Archived from groups: microsoft.public.win2000.dns (More info?)

 

RV> We want to protect a DNS server throu[gh] ACLs, the problem is:

The problem is that you don't understand what you are doing and why.
Ephemeral ports are a good thing. What you are supposedly protecting your DNS
server from is response spoofing. But part of what makes responses difficult
(albeit not very difficult - The DNS protocol was not well designed.) to spoof
is that an attacker has to guess both message ID and local port number. If
you fix the local port number, in the way that you are wanting to, all that an
attacker has to do is guess the message ID. You merely make the attack quite
a lot easier.

<URL:http://cr.yp.to/djbdns/forgery.html>

Reply to Anonymous
Ask the community Add a reply
Tom's Hardware > Forum > Windows 2000/NT > Windows 2000/NT General Discussion > Ephemeral ports in Windows2000 (a way to fix the port for ..
Go to:

There are 1349 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 0.315 seconds
Please mind

You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.

Add a reply Cancel
Sponsored links
  • Ask the community now
  • Publish
Ad
They won a badge
Join us in greeting them
How do I win badges?