LnS With DynDNS Service

Discussion in 'LnS English Forum' started by whitedragon551, Sep 12, 2010.

Thread Status:
Not open for further replies.
  1. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,188
    Location:
    USA
    I see in my LnS log that I have this entry:

    DynDNS.jpg

    Anyone know how to allow this communication without allowing all ICMP types?
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    If you really want to allow it, then in that log view, right click the log entry, in the popup window, select:- "Add rule: ICMP: Allow Type 3 Code 3".
    You can then go into the "Internet filtering" tab and edit the rule to allow just the outbound and place the IPs of the DNS servers.

    NOTE: That ICMP is an outbound "Destination unreachable:port unreachable", so the actual DNS service is not being blocked.
    It just looks like you are getting late replies from the DNS servers.


    - Stem
     
  3. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,188
    Location:
    USA
    There isnt a way to just allow communication with those servers? I dont want to allow all type 3, code 3's.
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    As I stated in my last post, you can add the IPs of the DNS servers to the rule.


    After you create the rule from the log, go into the "Internet filtering" tab, and double left click the rule to bring up the rule edit window. Change the direction to "outbound", then, if you only have 1 DNS server, change the "Destination" to "Equals" and enter the DNS server IP.
    01.png

    If you have 2 DNS server IPs to enter, then change the "Destination" to "Equal or" and then enter the 2 IPs.
    02.png


    - Stem
     
  5. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,188
    Location:
    USA
    Based on this will it effect anything between DynDNS and my Netgear router? Or between my router and PC? That is if I dont create the rule?
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    No,


    - Stem
     
  7. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,188
    Location:
    USA
    Alrighty then. Straight forward. Now let me ask you this. Is there any advantages of creating the rule other than getting rid of that particular error in the log screen?
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Not really.

    The ICMP will tell the DNS server that its reply as hit a closed/filtered port, but that is not actually helping you or the DNS server in this case.


    - Stem
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi whitedragon551,

    I should of taken more time in explaining what is happening here, so you can better understand, then you can take steps as you see fit.

    As I mentioned, the ICMP error is being generated due to the late reply from the DNS server, however, the ICMP is due to the late DNS reply being allowed due to the open rule that is in the default rules, it is then the system that is generating the ICMP error(as no application is listening on that port) and then L`n`S is blocking that outbound (ICMP)error message.

    You would be better to use the SPF DNS rules for the DNS, as late inbound replies would then be blocked at inbound attempt due to timeout.


    - Stem
     
Thread Status:
Not open for further replies.