allow outbound dns lookups on firewall
Hi all,I have Server 2008 Web Edition running a web server that is pretty much completely isolated. I only need to allow incoming http requests, and the web application running on it needs to perform dns lookups.I set the windows firewall to block all outbound requests as the default in the firewall settings (which is not the default).I now need to open up the needed ports to allow dns lookups to work. I tried allowing outbound UDP traffic on port 53, but testing with nslookup does not work.If I allow all outbound traffic nslookup does work.What do I need to open to allow dns name resolution? Thanks!Jon
March 7th, 2008 6:03am
OK, I think I just answered my own question using the logging features of the firewall to troubleshoot the issue. For outbound, I needed to allow any local port and specific port 53 for remote. If anyone knows a better configuration, please let me know.Thanks!Jon
March 7th, 2008 6:17am
Hi, Yes, I think that your proposed solution is the best configuration. I guess that you previously configured 'Outbound connections: Block' and disable all allow rules, except for 'Core Networking DNS (DNS-Out)', in Outbound Rules to achieve the goal of blocking all outbound requests. Please note the 'Core Networking DNS (DNS-Out)' rule is specific to the SVCHOST.EXE program where DNS service resides in. Even though you enable it, DNS query from other programs (like nslookup) will not be allowed to get outbound. As a result, we need to allow UDP outbound traffic from all local port to remote port 53. Hope this helps.
March 7th, 2008 2:20pm