none
PCI Compliance Scan RRS feed

  • Question

  • Not sure if this is the correct forum for this question...

    Recently had a PCI Compliance Scan performed which I failed for the following reason: "Firewall UDP Packet Source Port 53 Ruleset Bypass".  I am using Windows Firewall in Windows 7 Pro and the only place I can find any rule that specifies port 53 is Core Networking DNS (UDP-Out).  I am not sure if I should disable this rule or not.  Or should I block port 53 in my wireless router?

    Thanks in advance!

    Wednesday, July 6, 2016 7:17 PM

Answers

  • Hi eyedocbob,

    Hardware/Server firewalls filtering network traffic between the Internet and a local network. This type of firewall is often built into routers, and filters TCP/IP traffic by protocol (UDP, TCP, IGMP, etc.), to/from IP address, and to/from port number. DNS mainly uses the UDP protocol - except for zone transfer which use TCP. A DNS server listens for requests on port 53 (both UDP and TCP).
    So all DNS requests are sent to port 53, usually from an application port (>1023).

    You can specify which port Simple DNS Plus sends outgoing DNS requests from in the Options dialog / DNS / Outbound Requests section.

    DNS responses are returned from port 53 back to the original from-port (>1023).
    Many firewalls are by default configured to accept all traffic sent to application port numbers, so you may not need to worry about DNS responses.

    So you have to allow all traffic (in and out) sent to port 53 (requests), and possibly all traffic (in and out) from port 53 to any application port (responses).

    Hope it will be helpful to you


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Friday, July 15, 2016 8:31 AM
    Moderator

All replies

  • Hi eyedocbob,

    It sounds like any UDP packet is allowed to your servers if the source port is UDP53. You'll need a rule which monitors session state, likely a firewall (hardward or host based), so this traffic is only allowed if your servers already sent an outgoing request to the DNS server on UDP53.

    If the machines in question are not Domain Controllers, then there is no need for DNS services to be running on these machines.

    If they are Domain Controllers, then the finding may not be applicable as they are working as designed.

    For more information about How do I configure my firewall for DNS

    http://support.simpledns.com/kb/a26/how-do-i-configure-my-firewall-for-dns.aspx

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Hope it will be helpful to you


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, July 7, 2016 9:51 AM
    Moderator
  • Thank you for your answer.

    Since I am not sure what a domain controller is it probably does not apply.  I have two computers in my office that are networked and my primary medical office software uses SQL as its backbone.  Occasionally I use a remote desktop app.

    Thoughts? The more basic explanation the better.

    Thursday, July 7, 2016 3:34 PM
  • Hi eyedocbob,

    Hardware/Server firewalls filtering network traffic between the Internet and a local network. This type of firewall is often built into routers, and filters TCP/IP traffic by protocol (UDP, TCP, IGMP, etc.), to/from IP address, and to/from port number. DNS mainly uses the UDP protocol - except for zone transfer which use TCP. A DNS server listens for requests on port 53 (both UDP and TCP).
    So all DNS requests are sent to port 53, usually from an application port (>1023).

    You can specify which port Simple DNS Plus sends outgoing DNS requests from in the Options dialog / DNS / Outbound Requests section.

    DNS responses are returned from port 53 back to the original from-port (>1023).
    Many firewalls are by default configured to accept all traffic sent to application port numbers, so you may not need to worry about DNS responses.

    So you have to allow all traffic (in and out) sent to port 53 (requests), and possibly all traffic (in and out) from port 53 to any application port (responses).

    Hope it will be helpful to you


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Friday, July 15, 2016 8:31 AM
    Moderator