RE: [FW1] Microsoft DNS and Firewall-1

To: "'Steve Allum'" <[email protected]>, "'[email protected] at Internet'" <IMCEACCMAIL-andrew+2E2+2Eshore+40bt+2Ecom+20at+20Internet@FW1-NOSPAMleics.gov.uk>, "'[email protected]'" <[email protected]>

Subject: RE: [FW1] Microsoft DNS and Firewall-1

From: Dan Hitchcock <[email protected]>

Date: Thu, 18 Jan 2001 15:58:49 -0800

Sender: [email protected]

Title: RE: [FW1] Microsoft DNS and Firewall-1

Here's what's nasty (nice?) about NT DNS Manager and firewalls:

Although it is true that zone transfers occurs over TCP53 and lookups on UDP53, the DNS Manager connection is IPC-based, meaning that you must allow NetBIOS from the controlling server to the controlled server. My experience concurs with the thread thus far: "allow any" somehow doesn't do the trick - NetBIOS must be explicitly allowed. Further, your credentials (i.e. username/password) on the controlling machine must match an account (be it local or domain) on the controlled server for passthrough authentication to succeed. This theoretically augments the security of your DNS server, but complicates things a bit in terms of management.

HTH

Dan Hitchcock
Network Engineer

[email protected]
Xylo, Inc.
The work/life solution for corporate thought leaders

-----Original Message-----
From: Steve Allum [mailto:[email protected]]
Sent: Thursday, January 18, 2001 1:28 AM
To: '[email protected] at Internet'; '[email protected]'
Subject: RE: [FW1] Microsoft DNS and Firewall-1

I put in a trial rule, from DNS1 to DNS2, allow any and the policy properties are set to allow RPC control which appears as pseudo rule 4.

None of this appeared to help.

Steve

-----Original Message-----
From: [email protected] at Internet
Sent: Thursday, January 18, 2001 9:09 AM
To: Steve Allum
Subject: RE: [FW1] Microsoft DNS and Firewall-1

Have you allowed DNS UDP & TCP through the firewall. Server to Server
connections are TCP, client to Server are UDP

Andrew Shore
BTcd
Information Systems Engineering
Internet & Multimedia

-----Original Message-----
From: Steve Allum [mailto:[email protected]]
Sent: 18 January 2001 08:12
To: '[email protected]'
Subject: [FW1] Microsoft DNS and Firewall-1

We have several semi-secure zones separated through the ports on a
Firewall-1 server.

I would like to set up each zone with it's own Microsoft DNS server running
on NT, each one being a slave to one master dns in the internal secure zone.

The initial test isn't going too well. The Microsoft DNS Manager can't see
any of the slaves and there doesn't seem to be any traffic generated at the
firewall. Looking at the Microsoft DNS Manual from O'Reilly it says that the
management is via a proprietary Microsoft RPC implementation, so I'm not
sure what ports or protocols it will be trying to use.

Does anyone have experience of trying to get DNS updates and management
through Firewall-1 ?

Thanks

Steve Allum
Software Services Group
Leicestershire County Council
UK
([email protected])

_______________________________________________________________________
The contents of this message do not necessarily represent the
opinions, views, policy or procedures of Leicestershire County Council.



_______________________________________________________________________
The 
  contents of this message do not necessarily represent the 
opinions, views, 
  policy or procedures of Leicestershire County 
Council.