locked
DNS Client registration failing RRS feed

  • Question

  • Hello,

    We have AD Server running DNS and it is on seperate VLAN.

    Clients/Servers can only communicate with DNS on UDP Port 53, we have been seeing DNS registration error in event logs.

    Does TCP 53 is required for client hostname registration into DNS through firewall? Or just UDP 53 is sufficient?

    Cheers,

    Marshal


    Cheers, J
    Tuesday, January 4, 2011 12:22 PM

Answers

All replies

  • Marshal,

    as far as I understand, for DNS registration, UDP should suffice for dynamic update, but there are other reasons to consider enabling TCP (http://www.networkworld.com/community/blog/allow-both-tcp-and-udp-port-53-your-dns-serve)

    hth
    Marcin

     

    • Proposed as answer by Meinolf Weber Tuesday, January 4, 2011 1:43 PM
    • Marked as answer by pbbergs [MSFT] Thursday, November 1, 2012 11:59 AM
    Tuesday, January 4, 2011 12:35 PM
  • You will need both tcp/udp.

    http://support.microsoft.com/kb/832017

     

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.

    • Proposed as answer by Meinolf Weber Tuesday, January 4, 2011 1:43 PM
    • Marked as answer by pbbergs [MSFT] Thursday, November 1, 2012 11:59 AM
    Tuesday, January 4, 2011 12:43 PM
  • If a UDP port 53 response is larger than 512 bytes then it may be truncated or then DNS falls back to using TCP. However, if TCP is blocked on the firewall then the lookup can fail altogether.

    DNS can be used by attackers as one of their reconnaissance techniques. Security practitioners for decades have advised people to limit DNS queries against their DNS servers to only use UDP port 53. The reality is that DNS queries can also use TCP port 53 if UDP port 53 is not accepted.

    UDP 53 is sufficient for Clients/Servers communication. To establish a domain trust or a security channel across a firewall, TCP port 53 and UDP port 53 must be opened.

     


    Joy, Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, January 4, 2011 12:57 PM
  • Thanks all, how do I verify or confirm if UDP port 53 is larger than 512bytes? I believe this is causing the issue.

    If I run Ipconfig /registerdns I get DNSAPI error message event ID 11167.

    Servers are behind Firewall so TCP 53 is required?

    Cheers.

    J


    Cheers, J
    Tuesday, January 4, 2011 2:49 PM
  • Not sure what you mean by "UDP port 53 is larger than 512 bytes" - but in general, you could simply run the packet capture to determine characteristics of DNS-bound network traffic.

    This also, btw. would give you proof whether there are any other TCP dependencies in this case...

    hth
    Marcin

    Tuesday, January 4, 2011 2:55 PM
  • Please visit the below MS link for more info-

    http://support.microsoft.com/kb/828263

     


    Joy, Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Nina Liu - MSFT Thursday, January 6, 2011 9:57 AM
    • Unmarked as answer by Jimmy Salian Thursday, January 6, 2011 6:25 PM
    Tuesday, January 4, 2011 4:05 PM
    • Marked as answer by Nina Liu - MSFT Thursday, January 6, 2011 9:55 AM
    • Unmarked as answer by Jimmy Salian Thursday, January 6, 2011 6:25 PM
    Tuesday, January 4, 2011 4:46 PM
  • Hi,

    I have captured a network trace from the server and it shows "Dynamic Update response,Refused CNAME" this is from the AD Server.


    Cheers, J
    Thursday, January 6, 2011 11:03 AM
  • Hello,

    I have exactly the same error after a tcpDump. Nevertheless the firewall authorizes the TCP / UDP.
    Did you solve this incident?

    Thanks,

    Monday, May 21, 2012 12:43 PM
  • Yes issue was fixed had to open up both TCP/UDP ports..Thanks all

    Cheers, J

    Thursday, November 1, 2012 11:58 AM