Root server DNS traffic across Linux/ipchains firewall?
Barry Margolin
barmar at bbnplanet.com
Thu Oct 21 22:26:11 UTC 1999
In article <199910212208.SAA00692 at fw1-b.osis.gov>,
Joseph S D Yao <jsdy at cospo.osis.gov> wrote:
>I'm afraid that most V8++ BINDs will be addressing you FROM random
>ports [as many current network programs do] but always TO port 53. You
>might be well advised not to block on source ports, but only on
>destination ports.
I think the only DNS traffic he's expecting TO his firewall is replies to
his queries, i.e. it's a caching-only server. So they should all be FROM
port 53 and TO the port specified in the "query-source" option. Except it
sounds like queries sent to the root servers are ignoring the query-source
port.
I'm finding this difficult to believe, unless it's a new bug. Many sites
are successfully making use of "query-source * port 53" to emulate the
behavior of BIND 4 so that they'll be compatible with firewalls that were
configured with this in mind. If root server queries weren't using port
53, all these sites would be dead in the water.
--
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list