question

GloriaGu-MSFT avatar image
0 Votes"
GloriaGu-MSFT asked SenseiVITA answered

DNS IPSEC TUNNEL

Hi Team,

I find that the ipsec tunnel is listenning on my DNS server.

below is the session status I got from my DNS server, the behavior is odds since it doesn't require vpn/tunnel in our environment.

[svchost.exe]
UDP [::]:500 : 324
IKEEXT
[svchost.exe]
UDP [::]:3389 : 3156
TermService
[svchost.exe]
UDP [::]:4500 : 324
IKEEXT
[svchost.exe]
Please kindly advise. Thanks.

Thread source link: https://social.technet.microsoft.com/Forums/zh-CN/426950fb-3c04-4b31-8873-6a88cc0dbfae/dns-ipsec-tunnel?forum=winserveripamdhcpdns

windows-dhcp-dns
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered

Hi ,

Please check if the “IKE and AuthIP IPsec Keying Modules” (short name: “IKEEXT”) service is running on your DNS server.

If the IKEEXT service is running on the DNS server, then you will see default 500 and 4500 ports is listening:

12234-5.png

Just stop the “IKE and AuthIP IPsec Keying Modules” (short name: “IKEEXT”) service if you don't have Windows’ IPSec VPN in your environment.

Best Regards,

Candy



5.png (162.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SenseiVITA avatar image
0 Votes"
SenseiVITA answered

This is mostly unrelated but, I'd be more worried about the undisclosed Teredo tunnels your server is making out to Microsoft, log its request and you'll see what I mean. Block the server from the Internet except for DNS and ICMP (pings) so it thinks it's online. A better option is to get a middleman DNS server for your DNS server to get its DNS from, filtered and sent over DNS over HTTPS. Good options are pfSense (Unbound+pfBlockerNG) and OPNsense (BIND+DNSBL). Since you it would be sending requests over port TCP853 you can block completely port 53 from your edge to prevent rogue requests.

If your servers are offline they should be secure, there's no better protection for malware with the added benefit of no more updates breaking things. Lastly, if you aren't using Active Directory you don't need to use Win DNS, there are much better and efficient options. Even Core needs like 1GB or RAM just to power on. It's definitely not a bad DNS server, bur it's far from the best.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.