Private Public DNS question
Ken Eddings
eddingsk at apple.com
Thu Mar 23 00:30:45 UTC 2000
I'm the hostmaster for the apple.com domain. I get one or two
messages a month on this topic. Invariably they're doing the default
NAT on a Checkpoint FW-1 setup.
I am running mostly BIND-8 servers mimicking BIND-4 behavior until we
redo our firewalls. I'm using the below option to keep the BIND-4
behavior on the BIND-8 servers.
query-source address * port 53;
Once I explain to them what I think the problem is, they usually stop
NATting the the DNS queries and go to a forwarding setup.
Cheers,
At 11:42 PM +0000 3/22/2000, Barry Margolin wrote:
>In article <B5C5D2CDB8BCD2118E4800A0C9D8E4C7B2A9DA at cartman.metainfo.com>,
> <vladimirs at metaip.checkpoint.com> wrote:
>>Certain commercial sites (apple.com and wcom.com) do not like replying to
>>low port # DNS queries. The symptom is that most external DNS queries work
>>except for these sites. The issue is caused by FW-1 NATing the DNS query
>>(which defaults from port 53) to a low port address. Apple and WorldCom DNS
>>servers do not like this and the queries time out.
>>
>>The problem can be resolved by setting DNS' "Query Source Address" from the
>>default port of 53 to a high port, like 1053. This setting is located under
>>DNS properties, Configuration (I am using Meta IP product from Checkpoint
>>Software Technologies). When the query hits the FW-1, it gets NATed to a
>>higher port address. This works wonderfully with apple, wcom and everyone
>>else.
>
>This seems very strange. The purpose of "query-source port 53" is to make
>BIND 8 act like BIND 4 did. If what you're saying is true, sites that are
>still using BIND 4 nameservers (if not the majority, certainly a large
>number) would not be able to look up names in those domains. I think this
>is extremely unlikely, especially for a high-visibility site like
>apple.com.
>
>--
>Barry Margolin, barmar at bbnplanet.com
>GTE Internetworking, Powered by BBN, Burlington, MA
>*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
>Please DON'T copy followups to me -- I'll assume it wasn't posted to
>the group.
--
Ken Eddings, Hostmaster, IS&T, eddingsk at apple.com, eddingsk at ricochet.net
Work:+1 408 974-4286 Pager: +1 408 699-3591, Fax: +1 408 974-1560
Apple Computer, Inc., 1 Infinite Loop, M/S 60-DR Cupertino, CA 95014
The Prudent Mariner never relies solely on any single aid to navigation.
More information about the bind-users
mailing list