Stand alone server returns icmp port unreachable

I have a Win 2003 server that is stand alone, no AD and inside our network.
Want to replace our old DNS/DHCP servers with this server, but, everytime I
configure DNS to resolve I receive and ICMP (3 3) port unreachable message.

I've used portqueryui to examine the ports and I can see that 53/TCP is
listening but 53/UDP is not. I've also run a packet capture on the server
and can see that when a client makes a request the server will handle the
request, but before sending the reply it will send a port unreachable. I'm
confused. Have configured TCP/IP filtering on the network card to allow all.

Thanks.


gmgordon

"gmgordon" <(E-Mail Removed)> wrote in message
news:92871EC2-6D0D-4296-9181-(E-Mail Removed)...
> confused. Have configured TCP/IP filtering on the network card to allow
all.

You shouldn't Filter at all in that situation. You're building a DNS/DHCP
box, not a Firewall.

Turn off the filtering.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------

In news:92871EC2-6D0D-4296-9181-(E-Mail Removed),
gmgordon <(E-Mail Removed)> stated, which I commented on
below:
> I have a Win 2003 server that is stand alone, no AD and inside our
> network. Want to replace our old DNS/DHCP servers with this server,
> but, everytime I configure DNS to resolve I receive and ICMP (3 3)
> port unreachable message.
>
> I've used portqueryui to examine the ports and I can see that 53/TCP
> is listening but 53/UDP is not. I've also run a packet capture on
> the server and can see that when a client makes a request the server
> will handle the request, but before sending the reply it will send a
> port unreachable. I'm confused. Have configured TCP/IP filtering on
> the network card to allow all.
>
> Thanks.

Keep in mind, that Windows also requires UDP 1024 and above for DNS query
traffic between WIndows machines. Either way, the intial query of any DNS
query (unless forced to use TCP) uses UDP first.

If you use nslookup, does it work? If not, when using nslookup, use this
command to force TCP: "set vc", then try again. If that works, then of
course UDP 53 is being blocked.

ICMP wouldn't really have anything to do with DNS communication. Just the
mere fact you are getting any sort of ICMP error means that the ping command
is not getting a reply because ping, not DNS, uses ICMP, therefore telling
me your filtering is blocking ICMP. It's also saying that filtering is not
set correctly.

If you disable filtering, does it work?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy. - [Me]


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy. - [Me]

If I force nslookup to use TCP for lookups, it works. But a straight
UDP lookup doesn't. If I trace the packets I see the UDP request being
made and the server immediately sending an ICMP (3 3) port unreachable
packet and NSLOOKUP returns "No response from server".

Thanks
Ace Fekay [MVP] wrote:
> In news:92871EC2-6D0D-4296-9181-(E-Mail Removed),
> gmgordon <(E-Mail Removed)> stated, which I commented on
> below:
> > I have a Win 2003 server that is stand alone, no AD and inside our
> > network. Want to replace our old DNS/DHCP servers with this server,
> > but, everytime I configure DNS to resolve I receive and ICMP (3 3)
> > port unreachable message.
> >
> > I've used portqueryui to examine the ports and I can see that 53/TCP
> > is listening but 53/UDP is not. I've also run a packet capture on
> > the server and can see that when a client makes a request the server
> > will handle the request, but before sending the reply it will send a
> > port unreachable. I'm confused. Have configured TCP/IP filtering on
> > the network card to allow all.
> >
> > Thanks.
>
> Keep in mind, that Windows also requires UDP 1024 and above for DNS query
> traffic between WIndows machines. Either way, the intial query of any DNS
> query (unless forced to use TCP) uses UDP first.
>
> If you use nslookup, does it work? If not, when using nslookup, use this
> command to force TCP: "set vc", then try again. If that works, then of
> course UDP 53 is being blocked.
>
> ICMP wouldn't really have anything to do with DNS communication. Just the
> mere fact you are getting any sort of ICMP error means that the ping command
> is not getting a reply because ping, not DNS, uses ICMP, therefore telling
> me your filtering is blocking ICMP. It's also saying that filtering is not
> set correctly.
>
> If you disable filtering, does it work?
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Having difficulty reading or finding responses to your post?
> Instead of the website you're using, I suggest to use OEx (Outlook Express
> or any other newsreader), and configure a news account, pointing to
> news.microsoft.com. This is a direct link to the Microsoft Public
> Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
> to easily find, track threads, cross-post, sort by date, poster's name,
> watched threads or subject.
>
> It's easy:
> How to Configure OEx for Internet News
> http://support.microsoft.com/?id=171164
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Infinite Diversities in Infinite Combinations
> Assimilation Imminent. Resistance is Futile
> "Very funny Scotty. Now, beam down my clothes."
>
> The only thing in life is change. Anything more is a blackhole consuming
> unnecessary energy. - [Me]
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Having difficulty reading or finding responses to your post?
> Instead of the website you're using, I suggest to use OEx (Outlook Express
> or any other newsreader), and configure a news account, pointing to
> news.microsoft.com. This is a direct link to the Microsoft Public
> Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
> to easily find, track threads, cross-post, sort by date, poster's name,
> watched threads or subject.
>
> It's easy:
> How to Configure OEx for Internet News
> http://support.microsoft.com/?id=171164
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Infinite Diversities in Infinite Combinations
> Assimilation Imminent. Resistance is Futile
> "Very funny Scotty. Now, beam down my clothes."
>
> The only thing in life is change. Anything more is a blackhole consuming
> unnecessary energy. - [Me]

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> If I force nslookup to use TCP for lookups, it works. But a straight
> UDP lookup doesn't. If I trace the packets I see the UDP request being
> made and the server immediately sending an ICMP (3 3) port unreachable
> packet and NSLOOKUP returns "No response from server".
>
> Thanks

Gary,

Besides allowing UDP 53, you may also need to allow UDP 1024 and above if
communicating between Windows machines. They're the empherical response
ports that Windows uses.

As I previously asked, if you disable the firewall, does it work? If so,
then it tells me the firewall or rule is misconfigured. Check the rules and
possible need for the above ports as well. Nslookup doesn't need all of
them, just 53, but may.

Ace