CSA issue with firewall rule

Unanswered Question
Dec 16th, 2009
User Badges:

I created a rule in CSA 6.0 that, by default, blocks any application on any machine being connected as a server.  On a DC we made an exception for the server to be connected on UDP 53 for DNS.  However, we are seeing the following messages below.  The port ranges from, so far, 30,000-65,000.  It seems odd that dns.exe would be accepting a connection as a server on all of those ports.  Has anyone seen this before or had this happen to them or is this normal?  Also, it is running OpenDNS.



Audit: The process 'C:\WINDOWS\system32\dns.exe' (as user NT AUTHORITY\SYSTEM) attempted to accept a connection as a server on UDP port 61660 from using interface Wired\HP NC7761 Gigabit Server Adapter. The operation would have been denied.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jan.nielsen Wed, 12/16/2009 - 19:21
User Badges:
  • Gold, 750 points or more

You are behind a hardware/appliance firewall right ? if so, that port should not be open, which tells me that this is an accept of a udp reply from opendns on a request the server made, and not an actual request from opendns to your server, cause all dns traffic works on port 53 tcp/udp as destination port.

jan.nielsen Wed, 12/16/2009 - 19:22
User Badges:
  • Gold, 750 points or more

oh, and you could do a specific rule for the opendns addresses where this is allowed.


This Discussion