I created a rule in CSA 6.0 that, by default, blocks any application on any machine being connected as a server. On a DC we made an exception for the server to be connected on UDP 53 for DNS. However, we are seeing the following messages below. The port ranges from, so far, 30,000-65,000. It seems odd that dns.exe would be accepting a connection as a server on all of those ports. Has anyone seen this before or had this happen to them or is this normal? Also, it is running OpenDNS.
Audit: The process 'C:\WINDOWS\system32\dns.exe' (as user NT AUTHORITY\SYSTEM) attempted to accept a connection as a server on UDP port 61660 from 220.127.116.11 using interface Wired\HP NC7761 Gigabit Server Adapter. The operation would have been denied.
You are behind a hardware/appliance firewall right ? if so, that port should not be open, which tells me that this is an accept of a udp reply from opendns on a request the server made, and not an actual request from opendns to your server, cause all dns traffic works on port 53 tcp/udp as destination port.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...