DNS IPSEC TUNNEL

Question

Hi Team,

I find that the ipsec tunnel is listenning on my DNS server.

below is the session status I got from my DNS server, the behavior is odds since it doesn't require vpn/tunnel in our environment.

[svchost.exe]
UDP [::]:500 : 324
IKEEXT
[svchost.exe]
UDP [::]:3389 : 3156
TermService
[svchost.exe]
UDP [::]:4500 : 324
IKEEXT
[svchost.exe]
Please kindly advise. Thanks.

Thread source link: https://social.technet.microsoft.com/Forums/zh-CN/426950fb-3c04-4b31-8873-6a88cc0dbfae/dns-ipsec-tunnel?forum=winserveripamdhcpdns

Answer 1

Hi ,

Please check if the “IKE and AuthIP IPsec Keying Modules” (short name: “IKEEXT”) service is running on your DNS server.

If the IKEEXT service is running on the DNS server, then you will see default 500 and 4500 ports is listening:

Just stop the “IKE and AuthIP IPsec Keying Modules” (short name: “IKEEXT”) service if you don't have Windows’ IPSec VPN in your environment.

Best Regards,

Candy

Answer 2

This is mostly unrelated but, I'd be more worried about the undisclosed Teredo tunnels your server is making out to Microsoft, log its request and you'll see what I mean. Block the server from the Internet except for DNS and ICMP (pings) so it thinks it's online. A better option is to get a middleman DNS server for your DNS server to get its DNS from, filtered and sent over DNS over HTTPS. Good options are pfSense (Unbound+pfBlockerNG) and OPNsense (BIND+DNSBL). Since you it would be sending requests over port TCP853 you can block completely port 53 from your edge to prevent rogue requests.

If your servers are offline they should be secure, there's no better protection for malware with the added benefit of no more updates breaking things. Lastly, if you aren't using Active Directory you don't need to use Win DNS, there are much better and efficient options. Even Core needs like 1GB or RAM just to power on. It's definitely not a bad DNS server, bur it's far from the best.