Getting NSLookup to work through firewall on Win2k
Kevin Darcy
kcd at daimlerchrysler.com
Mon Jun 3 21:43:59 UTC 2002
MD wrote:
> Hi All,
>
> I surfed all over usenet and saw similar problems to mine, but their
> answers didn't work.
>
> Everything is fine on my server until I go to the properties section of my
> external nic and turn off "all UDP except port 53".
>
> I was under the impression from the services file, that UDP port 53 was
> what was needed for NSLookup to work.
>
> I tried again and again to open up more ports until I had opened every UDP
> port that was listed in the services file. Even with all these ports open
> and all the TCP/IP and IP ports open, I still get the following message:
>
> C:\>nslookup www.sampledomain.org
>
> DNS request timed out.
> timeout was 2 seconds.
> *** Can't find server name for address 63.203.35.55: Timed out
> DNS request timed out.
> timeout was 2 seconds.
> *** Can't find server name for address 206.13.28.12: Timed out
> Server: localhost
> Address: 127.0.0.1
>
> DNS request timed out.
> timeout was 2 seconds.
> DNS request timed out.
> timeout was 2 seconds.
> *** Request to localhost timed-out
>
> I have blackice on the same box and if I block all the UDP ports using
> that, then there's no problem. I think this means that there's either an
> outgoing port problem or I'm not really blocking all the ports with
> blackice.
This isn't really a BIND problem.
Regardless, you need to be aware that while the *destination* port for DNS is
53, the *source* port can be anything that's *not* in the reserved range.
Tweak your ACLs accordingly.
And don't forget to open up the corresponding ports/ranges for TCP as well.
DNS queries can use that too.
- Kevin
More information about the bind-users
mailing list