Firewall issue (was Re: Non-existent host/domain)

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Tue Mar 13 13:35:50 UTC 2001 

> 
> Hi there,
> Hi Mark,
> 
> ] From: Mark.Andrews at nominum.com
> 
> ] I wrote:
> ] >
> ] > I have a problem to install bind8.2.3-REL on Solaris2.5.1/Intel86
> ] > as an upgrade from bind4.9.6-REL.   Its compilation was successful.
> ] > "/var/adm/messages" says as follows.
> ] >
> ] > 
> -----------------------------------------------------------------------------
> ] > ----
> ] > named[6991]: starting (/etc/named.conf).  named 8.2.3-REL Mon Mar 12
> ] > 11:46:05 JST 2001
> ] >         root at ns.xxxxxx.ne.jp:/usr/local/src/bind8.2.3/src/bin/named
> ] > named[6991]: hint zone "" (IN) loaded (serial 0)
> ] > named[6991]: Zone "0.0.127.in-addr.arpa" (file 0.0.127.in-addr.arpa): No
> ] > default TTL ($TTL <value>) set, using SOA minimum instead
> ]
> ] 	Use a $TTL directive to fix this.  See RFC 2308 and/or
> ] 	http://www.nominum.com/resources/faqs/bind-faq.html
> 
> ] > >www.cdnow.com
> ] > Server:  localhost
> ] > Address:  127.0.0.1
> ] >
> ] > ;; res_mkquery(0, www.cdnow.com, 1, 1)
> ] > timeout (5 secs)
> ] > timeout (10 secs)
> ] > timeout (20 secs)
> ] > timeout (40 secs)
> ]
> ]       BIND 8, behaves like any other dns client and uses a system assigned
> ]       port to make queries.  Please ensure that your firewall allow these
> ]       through and the answers back.  You can also fix the port used for
> ]       UDP queries via query-source.
> 
> All right, I inserted A $TTL line into db files and got a syslog without
> any error in it.   But I still was NOT able to resolve remote names.
> Local names were fine.   Then, I removed a firewall and tried the
> query again.  The result was GOOD!    Named resolved remote names at
> last.
> 
> So, I'd like to know which ports should I open for bind8.2.3-REL ?
> When it was bind4.9.6-REL, I opend port 53 on tcp and udp which worked
> well.  Do I need open other ports too this time?

	The best solution is to use a stateful firewall.
	If you have to use a stateless firewall then whatever port
	you specify in query-source.

	Specifing port 53 using query-source will make BIND 8 behave
	like BIND 4.

	Mark
> 
> Thank you for your suggestions,
> 
> TL
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> 
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list