Private Public DNS question
Jared Johnson
jared.johnson at tecstar.com
Thu Mar 23 00:35:32 UTC 2000
Actually, I've found this to be true on Checkpoints website (after knowing
what to look for). It seems the NAT for port 53 will be given an open low
port (<1024) which isn't being liked by other nameservers. wcom.com is
another site that i've the same problem with. Thanks for the answer. I've
also called Checkpoint support and verified they have verified this to be
true. They gave the same solution.
> In article <B5C5D2CDB8BCD2118E4800A0C9D8E4C7B2A9DA at cartman.metainfo.com>,
> <vladimirs at metaip.checkpoint.com> wrote:
> >Certain commercial sites (apple.com and wcom.com) do not like replying to
> >low port # DNS queries. The symptom is that most external DNS queries
work
> >except for these sites. The issue is caused by FW-1 NATing the DNS query
> >(which defaults from port 53) to a low port address. Apple and WorldCom
DNS
> >servers do not like this and the queries time out.
> >
> >The problem can be resolved by setting DNS' "Query Source Address" from
the
> >default port of 53 to a high port, like 1053. This setting is located
under
> >DNS properties, Configuration (I am using Meta IP product from Checkpoint
> >Software Technologies). When the query hits the FW-1, it gets NATed to a
> >higher port address. This works wonderfully with apple, wcom and
everyone
> >else.
They are not blocking 53, but they are blocking the other low ports for
security purposes. (And as stated the NAT is trying to use the other low
ports)
> This seems very strange. The purpose of "query-source port 53" is to make
> BIND 8 act like BIND 4 did. If what you're saying is true, sites that are
> still using BIND 4 nameservers (if not the majority, certainly a large
> number) would not be able to look up names in those domains. I think this
> is extremely unlikely, especially for a high-visibility site like
> apple.com.
More information about the bind-users
mailing list