CSA issue with firewall rule

Unanswered Question
Dec 16th, 2009

I created a rule in CSA 6.0 that, by default, blocks any application on any machine being connected as a server.  On a DC we made an exception for the server to be connected on UDP 53 for DNS.  However, we are seeing the following messages below.  The port ranges from, so far, 30,000-65,000.  It seems odd that dns.exe would be accepting a connection as a server on all of those ports.  Has anyone seen this before or had this happen to them or is this normal?  Also, it is running OpenDNS.

Thanks,

Jay

Audit: The process 'C:\WINDOWS\system32\dns.exe' (as user NT AUTHORITY\SYSTEM) attempted to accept a connection as a server on UDP port 61660 from 208.67.220.220 using interface Wired\HP NC7761 Gigabit Server Adapter. The operation would have been denied.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jan.nielsen Wed, 12/16/2009 - 19:21

You are behind a hardware/appliance firewall right ? if so, that port should not be open, which tells me that this is an accept of a udp reply from opendns on a request the server made, and not an actual request from opendns to your server, cause all dns traffic works on port 53 tcp/udp as destination port.

jan.nielsen Wed, 12/16/2009 - 19:22

oh, and you could do a specific rule for the opendns addresses where this is allowed.

Actions

This Discussion