BIND 8.3.3 as primary NS behind NAT
Kevin Darcy
kcd at daimlerchrysler.com
Wed Aug 28 23:24:53 UTC 2002
Stefan Thaler wrote:
> Hi everybody!
>
> I'm some kind of frustrated...
>
> Since days I try to get my BIND behind a Symantec firewall appliance to
> function correctly.
> lookups from inside my local network work without any problems.
>
> but if i put my dnsserver into the TCP/IP config as nameserver on an
> external pc and try to resolve
> any names (ie. with Internet explorer or NSLOOKUP) the only thing i get are
> timeouts...
>
> but the strange thing is, that on the same external box is running an
> exchange server... and if
> i send mails over this mail server - the names are resolved correct ON MY
> NAMESERVER!
> (i can watch this in the syslogfiles of my dns server...)
>
> i would highly appreciate your hints ant suggestions.
>
> What is my problem? is it the firewall - port forwarding?
> is it the BIND - config?
>
> If you need any other informations about my firewall config or the BIND
> config, pls. feel
> free to ask for it (via newsgroup or personal mail).
It's conceivable that Exchange uses its own resolver which locks the source
port of its queries to 53. Normal resolvers don't do that, so that might
explain the difference in behavior.
In your firewall rules, you need, for queries, to allow inbound (port 53 or
unreserved range) to port 53, and, for replies to those queries, outbound port
53 to (port 53 or unreserved range). These rules would be in addition to
whatever you may already have in place to allow internal nameservers to
resolve Internet names.
-Kevin
More information about the bind-users
mailing list