12-16-2009 11:45 AM - edited 03-10-2019 04:50 AM
I created a rule in CSA 6.0 that, by default, blocks any application on any machine being connected as a server. On a DC we made an exception for the server to be connected on UDP 53 for DNS. However, we are seeing the following messages below. The port ranges from, so far, 30,000-65,000. It seems odd that dns.exe would be accepting a connection as a server on all of those ports. Has anyone seen this before or had this happen to them or is this normal? Also, it is running OpenDNS.
Thanks,
Jay
Audit: The process 'C:\WINDOWS\system32\dns.exe' (as user NT AUTHORITY\SYSTEM) attempted to accept a connection as a server on UDP port 61660 from 208.67.220.220 using interface Wired\HP NC7761 Gigabit Server Adapter. The operation would have been denied.
12-16-2009 07:21 PM
You are behind a hardware/appliance firewall right ? if so, that port should not be open, which tells me that this is an accept of a udp reply from opendns on a request the server made, and not an actual request from opendns to your server, cause all dns traffic works on port 53 tcp/udp as destination port.
12-16-2009 07:22 PM
oh, and you could do a specific rule for the opendns addresses where this is allowed.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: