kerio DNS rules

[iceni60]

hi, i lost my Kerio 2.1.5 rules when i did a system restore and the backup i had isn't very good. i'm trying to configure my DNS rules. i'm useing BZ's rules and he has two rules called primary and secondary DNS server. if i do ipconfg/all it shows two DNS severs they are what i am useing. do these DNS rules look OK? thanks

[CrazyM]

Hi iceni60

Those rules look fine

Once in a blue moon DNS will use TCP outbound. If you should start to see these being blocked you could modify your rules:

Permit, Inbound, UDP, local 1024-5000, remote 53, remote IP DNS server.
Permit Outbound TCP/UDP, local 1024-5000, remote 53, remote IP DNS server.

Regards,

CrazyM

[iceni60]

Quote:

Originally Posted by CrazyM

Hi iceni60

Those rules look fine

Once in a blue moon DNS will use TCP outbound. If you should start to see these being blocked you could modify your rules:

Permit, Inbound, UDP, local 1024-5000, remote 53, remote IP DNS server.
Permit Outbound TCP/UDP, local 1024-5000, remote 53, remote IP DNS server.

Regards,

CrazyM

thanks, CrazyM i was going to ask about that, i would have thought it would mainly use TCP, obviously not, shows how much i know. it looks like through out the loading of a page the browser will send out a UDP DNS request, load that bit of data, then ask for the next bit, useing another DNS request, then load that, so through out the loading of a page there will be lots of little UDP datagrams. it makes sense now, i was just watching how it works with a packet sniffer. is that correct?

[ghost16825]

According to RFC TCP will be used for transfers over 512 bytes. It probably occurs rarer than a blue moon. I do not believe this behaviour justifies a rule but that's just me - I have never seen it occur in everyday use.

On another note, DNS bears many similarities to HTTP even though HTTP is a TCP protocol. Hence you can see why HTTP or DNS is used for covert channels.