kerio DNS rules

Discussion in 'other firewalls' started by iceni60, Feb 12, 2005.

Thread Status:
Not open for further replies.
  1. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    hi, i lost my Kerio 2.1.5 rules when i did a system restore and the backup i had isn't very good. i'm trying to configure my DNS rules. i'm useing BZ's rules and he has two rules called primary and secondary DNS server. if i do ipconfg/all it shows two DNS severs they are what i am useing. do these DNS rules look OK? thanks
     

    Attached Files:

  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi iceni60

    Those rules look fine :)

    Once in a blue moon DNS will use TCP outbound. If you should start to see these being blocked you could modify your rules:

    Permit, Inbound, UDP, local 1024-5000, remote 53, remote IP DNS server.
    Permit Outbound TCP/UDP, local 1024-5000, remote 53, remote IP DNS server.

    Regards,

    CrazyM
     
  3. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks, CrazyM :) i was going to ask about that, i would have thought it would mainly use TCP, obviously not, shows how much i know. it looks like through out the loading of a page the browser will send out a UDP DNS request, load that bit of data, then ask for the next bit, useing another DNS request, then load that, so through out the loading of a page there will be lots of little UDP datagrams. it makes sense now, i was just watching how it works with a packet sniffer. is that correct? :)
     
  4. ghost16825

    ghost16825 Registered Member

    Joined:
    Feb 1, 2005
    Posts:
    84
    According to RFC TCP will be used for transfers over 512 bytes. It probably occurs rarer than a blue moon. I do not believe this behaviour justifies a rule but that's just me - I have never seen it occur in everyday use.

    On another note, DNS bears many similarities to HTTP even though HTTP is a TCP protocol. Hence you can see why HTTP or DNS is used for covert channels.
     
Thread Status:
Not open for further replies.