topic Re: CSA issue with firewall rule in Network Security

CSA issue with firewall rule

jasonsuplita — Sun, 10 Mar 2019 11:50:59 GMT

I created a rule in CSA 6.0 that, by default, blocks any application on any machine being connected as a server. On a DC we made an exception for the server to be connected on UDP 53 for DNS. However, we are seeing the following messages below. The port ranges from, so far, 30,000-65,000. It seems odd that dns.exe would be accepting a connection as a server on all of those ports. Has anyone seen this before or had this happen to them or is this normal? Also, it is running OpenDNS.

Thanks,

Jay

Audit: The process 'C:\WINDOWS\system32\dns.exe' (as user NT AUTHORITY\SYSTEM) attempted to accept a connection as a server on UDP port 61660 from 208.67.220.220 using interface Wired\HP NC7761 Gigabit Server Adapter. The operation would have been denied.

Re: CSA issue with firewall rule

jan.nielsen — Thu, 17 Dec 2009 03:21:37 GMT

You are behind a hardware/appliance firewall right ? if so, that port should not be open, which tells me that this is an accept of a udp reply from opendns on a request the server made, and not an actual request from opendns to your server, cause all dns traffic works on port 53 tcp/udp as destination port.

Re: CSA issue with firewall rule

jan.nielsen — Thu, 17 Dec 2009 03:22:28 GMT

oh, and you could do a specific rule for the opendns addresses where this is allowed.