Hi and thanks for the suggestions - no luck so far:
To restate the problem now I understand it better:
Every 4 hours exactly our Windows 2000 server sends 2 packets to our ISP DNS
server on UDP port 53.
This brings up our ISDN router to the ISP and generates a couple of packets
of return traffic.
I didn't see how a port filter could stop these packets without also
stopping
regular DNS working, [I have now tested this and sure enough - it stops
DNS].
The Packets are DNS QTYPE 33 SVR records for our private local domain
server.
They just have the server name but it is not a FQDN
For example, if our server name was "server.domain.com", the DNS query going
out is just
for "server"
The full queries are _ldap._tcp.dc.msdcs.server
and _ldap._tcp.Default-First-Site-Name._sites.dc_msdcs.server
Unsurprisingly the ISP DNS servers come back with a name error.
The local DNS server log shows that it is receiving queries for these
services for "domain.com"
and is replying to them authoritatively with no error.
Anyone have any ideas why these requests are being generated and how to stop
them?
Our configuration is:
Hardware ISDN Router which carries out all the NAT and has a firewall
allowing no incoming
connections.
The Server only has 1 network card and so all PC's access the internet via
the hardware router
direct.
We have tried
Disabling DNS dynamic registration
Using standard DNS rather than integrated in active directory
We have not tried IPSec, but it doesn't look as if it looks inside packets?
If something could filter out the SVR requests by checking inside the UDP
packets for QTYPE 33
that would do it.
Many thanks
Subject: Re: DNS UDP LDAP BROADCASTS BRING UP ISDN CIRCUIT
From: [EMAIL PROTECTED]
Date: Fri, 7 Sep 2001 13:45:25 -0400
X-Message-Number: 161
I disagree. IPSec CAN work with NAT, it just takes some work, and the
right equipment. Several routers, VPN switches, and the like offer
automatic NAT traversal discovery. Basically, if NAT is detected, the
IPsec traffic is encapsulated within UDP using a predetermined destination
port.
Kent Spencer <[EMAIL PROTECTED]> on 09/07/2001 01:32:01 PM
Please respond to "NT System Admin Issues"
<[EMAIL PROTECTED]>
To: "NT System Admin Issues" <[EMAIL PROTECTED]>
cc:
Subject: Re: DNS UDP LDAP BROADCASTS BRING UP ISDN CIRCUIT
. disregard. IPSec does not work with NAT. It lets you configure it
but it never works. Can't you just create a packet filter on
the configured interface? Should be on the General tab.
Kent
--- Kent Spencer <[EMAIL PROTECTED]> wrote:
> .. try looking at ipsec with a filter for LDAP.
> Kent
>
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.a
sp
>
> --- Graham Grist <[EMAIL PROTECTED]> wrote:
> > How can we stop these two broadcasts bringing up the ISDN line
> every
> > 4
> > hours.
> >
> > The broadcasts are from these lines in netlogon.dns
> >
> > ldap._tcp.dc._msdcs.OURDOMAIN.COM. 600 IN SRV 0 100 389
> > OURSERVER.OURDOMAIN.COM.
> >
> > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.OURDOMAIN.COM.
> > 600 IN
> > SRV 0 100 389 OURSERVER.OURDOMAIN.COM.
> >
> > We only have one site with a few computers and one Win 2K server.
> > Our set up is a small business site with no internet registered
> > domain. We
> > use private IP addresses and a NAT ISDN router.
> >
> > We use the ISDN dial up connection for access to the Web, but we
> have
> > no
> > incoming web access to us from customers and so on.
> > Mail is collected from the ISP POP3 server by our mail server.
> >
> > DNS is set up with forwarders.
> > We have set the LAN connection to "no registration of the
> connection
> > in
> > DNS". (Is that right?)
> >
> > We have disabled Netlogon dynamic registration of the DC name, and
> > also
> > disabled DNS dynamic update registration of PTR records (Reverse
> Look
> > Ups)which has successfully stopped an hourly ISDN connection.
> > We have an event log warning that as dynamic DNS is not supported
> we
> > need
> > to manually entering the contents of
> > %SystemRoot%\System32\Config\netlogon.dns in to DNS - how do we do
> > that
> > and is that relevant to this problem?
> >
> > Many thanks
> >
> >
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
