DNS queries that are sent across a firewall do not use random source ports after you install security update 953230 (MS08-037):
http://support.microsoft.com/default.aspx/kb/956190/
Download details: UDP Update for ISA Server 2004 Standard Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0ab83f12-653b-4be1-befe-594c4ef62baa&DisplayLang=en
Download details: UDP Update for ISA Server 2006:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e96a6e20-0c04-4c7d-9f3e-207b02ae29cc&DisplayLang=en

So if I’m SBS 2003 with ISA 2004 do I care about those?  Nope.  We’re not nat-ing in front of the box… it is ON the box.

If I am SBS 2008 do I care about those?  Maybe.  If you have ISA 2006(1) on a server in front of SBS 2008 then yes.  I’m going to guess that mose of you in the same boat I am are still getting a handle on where you get the media for ISA 2006 as part of your software assurance offering.

Thanks as always to some very special folks behind the scenes that are the brilliant ones that know all these answers.

(1) I forgot to call today to see if I can order my extra SA stuff…. will blog tomorrow if I am successful.

 

One Response to DNS queries that are sent across a firewall do not use random source ports after you install security update 953230 (MS08-037):

  1. Jim Harrison says:

    “So if I’m SBS 2003 with ISA 2004 do I care about those? Nope. We’re not nat-ing in front of the box… it is ON the box.”

    – this statement is not guaranteed to be complete true.

    It is true that the problem of updated DNS queries *from* the SBS server are not affected by this behavior because this traffic is handled by the “Local Host Access” network rule which specifies a route relationship and so NAT is not applied. *Howeever* if there are *any* hosts in a protected network which uses a NAT relationship to reach another network that are allowed to make direct DNS queries to that network, the traffic from these hosts *will* be affected and you must then apply the update to your ISA (SBS) Server.

    Since applying this update will most certainly affect SBS deployments, you’ll want to read in the latest ISABlog on the subject (writing it now).