TCP/IP Filtering + DNS Problem

I've been reading and reading for a very long time so please direct me to the right post if this question was answered elsewhere.

Here's my problem:

I enabled TCP/IP filtering on my windows 2000 server and DNS stopped working. I'm not running a DNS server I just can't resolve names. I tried google.com from internet explorer and got "Page cannot be displayed". So I resolved it on my machine and tried http://googleip and it worked fine. This machine is at a datacenter and I'm renting rackspace there. The reason I'm setting this up in the first place is because the firewalls they offer there I can't afford right now and I just need something simple to block off the netbios type ports. I asked the tech support there and they said to allow TCP and UDP 53 and it should work fine. I tried that, didn't work. So now I'm on my own. If I allow ALL UDP ports it works just fine, but that would defeat the whole purpose of setting up TCP/IP filtering in the first place.

Here's what nslookup gives me:

-----------------------------------------------------
C:\Documents and Settings\Administrator>nslookup google.com
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address xx.xx.xx.xx: Timed out
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address xx.xx.xx.xx: Timed out
*** Default servers are not available
Server: UnKnown
Address: xx.xx.xx.xx

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
-----------------------------------------------------

I'm using this machine to run gaming servers and do not want to run a software firewall because the game servers use up most of the resources as is. Is there a solution to this or does TCP/IP filtering and DNS just not work? Any help or ideas would be greatly appreciated, I've been messing with it for 2 days now.

Thank you,

Myth*

The problem is the fact that you're sending UDP packets FROM a port other than 53. So response packets on a port other than 53 blast into your your firewall. Conceptually there's a few ways to fix this.

1) Configure DNS Client to send packets FROM port 53. Don't know if this is possible.

2) Configure the firewall to allow RELATED packets. This is a smart detection system that if a UDP packet were to leave the system from port 123 to remote IP 123.45.6.7. It will allow the response back in on port 123 from remote IP 123.45.6.7. Don't know if this is supported in Win2k filtering.

3) allow all UDP traffic except on ports 135-139

4) Setup a dns server on windows 2000. You might want to install BIND. After configuring BIND as a resolver, replace your current system dns server resolver list (found in ipconfig /all) with a local IP address.

1-3 where the exact same ideas I had. You just confirmed what I thought was the problem to begin with.

#1 is the route I wanted to take to begin with but after googling it for a while I came up with nothing on how to go about doing it.

#2 won't work because it would be working now if it were stateful (I think that's the correct term).

#3 isn't going to work either because the way TCP/IP filtering is set up in Win2k Server it's either allow ALL or allow ONLY. I really wish they had just simple blocking.

#4 looks like another language.

Which way would you go with it?

Thanks for the quick response. Refreshed the page and you already replied.

-Myth*

Good question. Here's how ole Rage thinks:

1) All software firewalls for windows suck.
2) The newer windows "Internet Connection Firewall" (ICF) looks ok, but unfortunately doesn't come with windows 2000.
3) TCP/IP filtering sucks.
4) A firewall is important, most especially on windows systems.
5) Hardware firewalls are my preferred choice.

So by that it's pretty obvious that at home and running windows 2000, I had a router that provided my firewall and I didn't bother with setting up a firewall on the system itself.

Now, I would never get a windows server from a dedicated service. The only windows system I might even consider is windows 2003 with remote desktop enabled. Windows 2000 has neither remote desktop nor ICF. But if I had gotten Win2k then I would probably go the TCP/IP filtering + BIND route and disable the DNS Client service. You can configure BIND what port to send queries from, and also whether or not to forward requests to your provider's dns servers.

I've already got a resolver specific named.conf available:
http://www.dollardns.net/bind/resolver/named.conf

Ok just so I fully understand what you're saying...

Keep TCP/IP filters in place. Get BIND and have a set port that uses DNS, allow that port through the filter and close 53 all together. Is that what you're saying for the most part?

See if I have to be really careful because if I configure anything wrong when I reboot that machine it won't come back online. I'm in ohio and it's in texas. Plus judging by the tech support I'd probably have to fly down there and get the thing back online.

Can you point me in the direction of a good walkthough for BIND with windows? I'll google it and read about it but maybe you could point me in the right direction since you know my situation. I'm rather new to all of this and need a step by step guide to do it right. Thanks for all your help thus far.

-Myth*

I feel the need to modify your statement a bit:

Keep TCP/IP filters in place. Get BIND and have a set port that uses DNS, allow port 53 through the filter and block all other UDP traffic.

As for the tutorial, I have a sticky topic up at the top of this forum called "Bet you want to setup a dns server huh?". In there is a tutorial for setting up BIND on windows. There's some parts of it that you would ignore since you're not hosting a domain. And you might want to use the named.conf i linked to you last post instead of the one mentioned in the tutorial.

That was a lot harder then I thought but I got it working. Works fine now. Thank you for all your help silent.

-Myth*