query source, your thoughts
Kevin Darcy
kcd at daimlerchrysler.com
Mon Sep 8 20:06:12 UTC 2003
Storm wrote:
> I have set-up my caching name server with query source as port 53
>
> query-source address * port 53;
>
> As I surf the internet I notice that certain addresses will not resolve.
>
> This is due to misconfigured firewalls, at the auth-name servers, dropping
> queries from port numbers less than 1024.
>
> Am I breaking any RFC's by putting in the above line, or is the problem with
> the firewalls ?
Are you sure it's their firewalls that are misconfigured? People have used port
53 as the source port for DNS queries for a long time. In fact, earlier
versions of BIND did this unconfigurably. In a cursory search, I couldn't find
anything in the RFCs to forbid using source port 53, nor anything in the RFCs
to require that nameservers accept that source port. But it's had such a long
history I find it hard to believe these sites wouldn't have gotten a ton of
complaints about their firewall rules...
- Kevin
More information about the bind-users
mailing list