Firewall tweak to cater for new DNS system (KB951748 etc)

Hi all

I'm altering my firewall rule settings to compensate for the new DNS system recently introduced, and would appreciate expert eyes to confirm that I'm doing the right things.

Two questions really, 1) am I trying to make the correct change (!) and 2) anything wrong with the rules I end up with - TIA...

If I'm understanding it all correctly the change means that my DNS queries, which used to work through (only) port 53 at my ISP, will now be using a whole range of ports - that's the salient difference, the change I have to cater for (for eg a single home computer, connected to the internet via cable modem broadband).
[SIZE= "1"]
working out what needs to be done was quite a puzzle - looking up about the actual "problem" (CVE 2008-1447 for example) turns up much mention of "insufficient randomness of the DNS source port" - offputting - finally I "twigged" that this material is written from the point of view of folks who administer the DNS system, they are mainly thinking about administering servers - so what they are calling the "source" port is actually more like a "destination" port from my point of view. Erm. At least I think that's what they're getting at... still not completely sure I have a proper suss on this[/SIZE]

So Question1 is really: have I got this bit correct so far: that what I need to do is to change my DNS rule to open it up to a whole range of remote ports?

And Question2, anything wrong with making the change as outlined below:

originally, I used this for DNS:

DNS rule: Allow UDP, both in and out...
-local end: any application, any port;
-remote end: [any address]:53

Just altering "remote port 53" to "any port" should be enough to allow the new DNS system to work - but that's horrible in terms of general security ! ...so instead, I "tied down" the rule to only the address of the DNS server(s) I need.

Using the "ipconfig /all" method outlined in "option 2" of TeMerc's post, I determined the addresses of my DNS server(s). I discovered that I actually seem to have two of these, at 194.168.4.100 and at 194.168.8.100

...so I made a rule for each of these, and ended up with:

DNS1: Allow UDP, both in and out...
-local end: any application, any port;
-remote end: 194.168.4.100:[any port]

DNS2:Allow, UDP, both in and out...
-local end: any application, any port;
-remote end: 194.168.8.100:[any port]


does this look OK, pls?

best wishes, HJ.

 

Which firewall are you using ? If its a 3rd party firewall, it should ask you for permission every time any program wants to access internet/DNS.

I don't recommend opening ports all the time until you have another firewall in front of the system.