Kevin Darcy
kcd at daimlerchrysler.com
Mon Aug 5 23:58:51 UTC 2002
Armin Safarians wrote:
> All --
> Problem: CheckPoint firewall blocking dns traffic.
>
> IT seems like bind generates queries on the same
> high port (source) to port 53 (destination). Every time
> I bounce bind, it start it's queries from a new high
> port (source) to port 53 (destination). This high port
> stays the same until the next bounce.
>
> When the firewall sees a delay of more than 40
> seconds, it blocks all replies back to this high port.
> When I bounce bind, the new high port will work since
> there is no block.
>
> I hope this is not too confusing. Please shed some
> light if you get the basic problem here.
The basic problem is that your firewall is misconfigured. It should be allowing inbound replies from port 53 to high ports on your nameserver *without*restriction*. Your nameserver will ignore duplicate responses anyway, so the current restrictiveness isn't buying you any additional security...
- Kevin
More information about the bind-users
mailing list