Firewall/Access-List issues

Robert Gahl bgahl at bawcsa.org
Thu May 17 01:15:01 UTC 2001 

At 05:03 PM 5/16/2001 -0700, Robert Gahl wrote:

>I guess what I'm asking is, what ports does something like dig use,
>outbound and inbound? I scanned the archives and while I found data dealing
>with serving zone information, I didn't find anything dealing with dig.

To give a more specific example, doing:

dig @206.41.7.71 www.yahoo.com

yields the right data. However, doing:

dig @63.146.119.75 www.yahoo.com yields:

>hosts-gc <bgahl>: dig @63.146.119.75 www.yahoo.com
>
>; <<>> DiG 9.1.0 <<>> @63.146.119.75 www.yahoo.com
>;; global options:  printcmd
>;; connection timed out; no servers could be reached

The difference between these two is that 206.41.7.71 is Global Centers' 
(now Exodus') name server. 63.146.119.75 is my name server over at Qwest. 
The filters that I have written are to allow UDP to flow above port 1024 
between the sites.

I repeatedly did a ping to unknown hosts and saw (via snooping the packets) 
requests heading out on random UDP ports for what was apparently name 
resolution.

Obviously, there is something I'm missing. In the event the thought is that 
it might be my ACLs in the named.conf, here are the applicable bits over on 
63.146.119.75

//DNS clients at fireclick.com
acl "trusted" {
         localhost;
         216.206.172.105;        // DSL Modem at Fireclick Corporate
         208.45.103.18;          // Hosts behind CISCO 3640
         63.146.119.64/26;       // Hosts in cabinet (new IPs)
         64.210.184.128/28;      // Hosts in GlobalCenter Rack
};

// Official secondaries
acl "fireclick-xfer" {
         63.146.119.76;          // ns2.fireclick.net (new IPs)
         64.210.184.130;         // hosts-gc.fireclick.com
         64.210.184.131;         // foundry-fcslb16-gc-1
         64.210.184.132;         // foundry-fcslb16-gc-2
         64.210.184.133;         // foundry-fcslb16-gc-1v
         64.210.184.134;         // foundry-fcslb16-gc-2v
         216.206.172.105;        // flame.fireclick.com
};

options {
         directory       "/etc/dns";
         pid-file        "/var/log/named.pid";
         listen-on       { 127.0.0.1; 63.146.119.75; };
         allow-query {
                 trusted;
         };
         allow-transfer {
                 none;
         };
};

//
view "in" in {
         match-clients { any; };

         // Bootstrap the root.

         zone "." in {
                 type hint;
                 file "root.cache";
         };
         ...
};

Thanks.


===
Bob Gahl Bicycle (Ryan Vanguard) Mobile ||     @
     ARPA/Internet: bgahl at bawcsa.org     ||  !_ \
    URL: http://www.bawcsa.org/bgahl/    ||  (*)-~--+--(*)
"Sahn joong moe low ful how jee yah ching wong" - "When the
mountain has no tigers, the monkey will also declare himself
king." Chinese Proverb

More information about the bind-users mailing list