Firewall/Access-List issues
Kevin Darcy
kcd at daimlerchrysler.com
Sat May 19 00:04:44 UTC 2001
Well, dig is just basically a stub resolver, so it'll send queries from an
unprivileged port to port 53 and expect responses from port 53 to the same
unprivileged port. It could use either UDP or TCP.
- Kevin
Robert Gahl wrote:
> I'm running BIND behind CISCO routers at two different sites using
> access-lists to prevent unwarranted ports to pass.
>
> I have accurately written (or so I think) the access-list so that zone
> transfers can occur. And, in fact, zone transfers from one co-lo to the
> other look to work just fine (delete a secondary file, kick bind, zone
> transfer replaces the file). I'm currently running 9.1.1 (about to upgrade
> to 9.1.2).
>
> Here's the dilemma. While the zone transfers work, and the external world
> is having no problem asking me for zone data and getting it, 'dig' is
> causing me no end of grief when I try to do a lookup . The odd part is that
> what is failing is doing a 'dig' ffom behind one firewall to behind
> another. Doing a dig to the ISPs DNS machine works just fine.
>
> I guess what I'm asking is, what ports does something like dig use,
> outbound and inbound? I scanned the archives and while I found data dealing
> with serving zone information, I didn't find anything dealing with dig.
>
> Thanks.
>
> ===
> Bob Gahl Bicycle (Ryan Vanguard) Mobile || @
> ARPA/Internet: bgahl at bawcsa.org || !_ \
> URL: http://www.bawcsa.org/bgahl/ || (*)-~--+--(*)
> "Sahn joong moe low ful how jee yah ching wong" - "When the
> mountain has no tigers, the monkey will also declare himself
> king." Chinese Proverb
More information about the bind-users
mailing list