[isapros] Re: [ISAServer] A firewall that performs payload inspection may block zone transfers

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Wed, 26 Jul 2006 12:58:59 -0500

That's because you lost your ability to read minds. The writer knew exactly 
what he meant, and that's what counts :\

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

 

> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] 
> Sent: Wednesday, July 26, 2006 12:54 PM
> To: ISA-MVP
> Subject: Re: [ISAServer] A firewall that performs payload 
> inspection may block zone transfers
> 
> These kind of KB's drive me nuts...
> 
> <snip>
> Consider the following scenario:
> â    A Microsoft Windows Server 2003-based primary Domain 
> Name System (DNS)
> server hosts several primary zones.
> â    A Windows Server 2003-based secondary DNS server hosts the
> corresponding secondary zones.
> â    The secondary DNS server sends out DNS start of 
> authority (SOA) query
> records to the primary DNS server when the DNS service restarts on the
> secondary DNS server. All DNS SOA query records use the same 
> 0x6000 DNS ID.
> â    An application firewall that examines the ID field in 
> the DNS packet
> header is located on the network between the primary DNS 
> server and the
> secondary DNS server.
> In this scenario, the firewall may block zone transfers from 
> the primary DNS
> server to the secondary DNS server.
> 
> Note This does not affect manual zone transfers.
> </snip>
> 
> *Why*?  Why "may" an application firewall block it?  Why does 
> it not affect
> manual transfers?  Does it affect ISA?  What if I have a specific rule
> allowing DNS transfers?  It seems obvious to me that anyone 
> reading this
> would want to know the specific "whys," particularly if one 
> is contemplating
> loading a hotfix...
> 
> t
> 
> 
> 
> On 7/26/06 9:09 AM, "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
> <sbradcpa@xxxxxxxxxxx> spoketh to all:
> 
> > FYI:
> > 
> > A firewall that performs payload inspection may block zone 
> transfers by
> > Windows Server 2003-based DNS servers:
> > http://support.microsoft.com/kb/919218/en-us
> 
> 
> ---
> To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx
> In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx, 
> youremailaddress
> 
> To leave the list - send an email to list@xxxxxxxxxxxxxxx
> In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx, 
> youremailaddress
> 
> Don't forget the comma!
> 
>

Other related posts:

  • » [isapros] Re: [ISAServer] A firewall that performs payload inspection may block zone transfers
  1. Home
  2. isapros
  3. Archive
  4. 07-2006