Question about port for NSLOOKUP
Richard Johnson
rajohnson1 at uswest.net
Mon Apr 24 23:10:40 UTC 2000
At 03:36 PM 4/24/00 -0700, you wrote:
>How can I make this work if its dynamically assigned? There must be someway
>I can block ports but still be able to use NSLOOKUP.
You need to be able to accept any port above 1023 as the source port
and 53 as the dest port. You should ignore any packets that have the
"ack" bit set with these addresses as well. This is the case where someone
is trying to send you a reply packet to your DNS server. Any meaningful
replies from elsewhere to your DNS server should be on port 53.
I suggest you pick up a copy of one of the firewall books out there.
Chapman and Zwicky's "Building Internet Firewalls" is quite good on
explaining the rules that are required to allow a given service
through a firewall. It also reviews all of the problems that can
be caused by doing so. <g>
More information about the bind-users
mailing list