query problem ?? - B root Server
rene mathis
rene at solosaina.ch
Tue Feb 22 15:46:00 UTC 2005
I also tried out to force the source port for queries to be 53.
The reason is that if there were responses from b.root-servers.net they came
to a high port (the same as the source port) and from another ip adress
(192.228.79.200/2/3) than the query was sent to (192.228.79.201). And so the
answer from the root server was dropped by our firewall. Since I have changed
the source port to be 53, the response comes back to port 53 as well and it
gets through our firewall.
Maybe there are better solutions for this problem?
On Tue, 22 Feb 2005 15:02:35 +0000, Ketil Froyn wrote
> On Tue, 2005-02-22 at 08:42 +0545, raj kumar gurung wrote:
>
> > When i dig some domain, it doesnt get the answer because of "
> > query-source address * port 53; " in my named.conf file.
> > But when i comment it out, i could get the response...what may be the
> > reason ?
>
> A lot of sites block queries from source port 53 in their firewall.
> It is common to only allow queries from ports >= 1024.
>
> Anyway, you shouldn't force source port 53, because you will be left
> very vulnerable to DNS forgery. I don't know what problem you're trying
> to solve by forcing source port 53, but there's surely a better way.
>
> More info on DNS forgery:
>
> http://cr.yp.to/djbdns/forgery.html
>
> Ketil Froyn
> ketil at froyn.name
> http://ketil.froyn.name/
--
Rene Mathis
rene at solosaina.ch
More information about the bind-users
mailing list