Mike, You could just apply IP port blocking, I tend to only do this when the machine has 2 network interfaces, one for the external WAN and one for internal LAN administration (still with port blocking for additional security), this way you can allow only port 53 to be open for the world.
Kind Regards, Richard Parry ZOOL Networks ( www.zoolnet.co.uk <http://www.zoolnet.co.uk/> ) Managed, Dedicated & Shared Hosting Solutions Telephone: +44(0)1543 301003 Fax: +44(0)1543 416668 Mobile (Emergency): +44(0)7967 959740 -----Original Message----- From: VNV Jeep [mailto:[EMAIL PROTECTED] Sent: 06 June 2003 6:05 PM To: [EMAIL PROTECTED] Subject: Securing a Win2k DNS server outside firewall... Hi All... I have 2 Windows 2000 DNS servers sitting on the outside of our firewall. They're vanilla installs of Win2k server, both running as member servers, locked down as much as possible, running a primary & secondary DNS configuration. When running a port scan against these servers, one of the only things that tends to worry me is that they both answer to port 135 RPC. I've tried to figure out a way to prevent that port from being available, but all I could find as far as answers go is that I'd need to run a firewall to block it. I did try running a small firewall on the servers, but ran into issues since DNS tends to use a myriad of dynamic ports when answering queries... Does anyone have any good ideas on how to lock down a Win2k server like this so that the only thing available as far as services go is DNS, and the replication thereof? Thanks in advance for your advice... Take care, Mike _________________________________________________________________ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------