unable to resolve one specific domain (hotmail.co.uk)
Mark Andrews
Mark_Andrews at isc.org
Wed Apr 25 23:21:06 UTC 2007
> Thanks for the update. I've been at least acknowledged by msnhst at microsoft.co
> m, they're looking into it - I will include this information in my report to
> them, as the primary reason we set query-source address to 53 is that we had
> problems with some nameservers that didn't allow non-privileged ports to quer
> y (probably a legacy issue).
There are lots of badly constructed firewalls.
Some block source port != 53
Some block source port < 1024
Some block source port 1024-1030 (rpc ports)
Some block source port ~7000 (irc ports)
If you have a nameserver you should allow traffic to port 53
on the nameserver regardless of the source port. It should
also allow reply trafffic to any destination port.
With a first match firewall you should have rules like:
state-full firewall
check-state ; allow inbound replies
allow any to nameserver 53 in ; allow inbound queries
allow nameserver 53 to any out ; allow replies
allow any to any 53 out keep-state ; allow outbound queries
<put your general blocks here>
state-less firewall (query-source port 53)
allow tcp established
allow any to nameserver 53 in ; allow inbound queries and
; inbound replies
allow nameserver 53 to any out ; allow replies
allow udp any 53 to any 53 out ; allow outbound queries
<put your general blocks here>
If you are worried about too much state being kept with the state-full
firewall you can do it as a state-less firewall for the recursive
servers by inserting a rule like this before the keep-state rule
allow udp <recursive server> 53 to any 53 out
Named has a built in list of ports for which it will not
responed to with error messages. It will also not reply
to responses.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list