bind 8.1.2 does not work with my fw1 firewall

Ted_Rule at flextech.co.uk Ted_Rule at flextech.co.uk
Sat Jul 24 17:10:45 UTC 1999 


One of the first things to check is proabbly any port based DNS filtering on the
firewall ... Bind 4 sourced queries
from UDP port 53 - which made it somewhat distinguishable from a.n.other clients
which source from port >1023.

The default on bind 8 is now to source from a random port number - which may be
being blocked by FW1 ?

There's a global option in named.conf called query-source, which can be modified
from the implicit default of:

        query-source address * port *;

     to:

        query-source address * port 53;

This may solve the problem, but even if it does, you would do well to review the
 whole firewall DNS config
in the light of this - it should be possible to run in just as secure a manner
without forcing the source port to 53.

Ted Rule,
Flextech Television






Frank C Hui at PNU
24/07/99 17:55

Please respond to Frank.C.Hui at ap.pnu.com

To:   bind-users at isc.org
cc:

Subject:  bind 8.1.2 does not work with my fw1 firewall

Hi,
      I tried to upgrade my current Solaris 2.4 running Bind 4.9.1 to Solaris
2.6 running Bind 8.1.2 today.  This is our external DNS residing in the DMZ.  My
external queries did not appear to go out of our firewall which is running Check
Point's FW1.  When we stopped running the firewall policy, everthing appeared
just fine.  External queries stopped working when the firewall policy was
reinstalled even allowing everything to go thru our new DNS server.

I have backed out of this bind upgrade by reinstalling the old machine (Bind
4.9.1) and everything is back to normal.

Question: What stops bind8 from working with our firewall?

Thank you.

Frank Hui
Pharmacia & Upjohn







*****************************************************************
This E-mail message, (including any attachments), is intended
only for the person or entity to which it is addressed,
and may contain confidential information.

If you are not the intended recipient, any review, retransmission,
disclosure, copying, modification or other use of this E-mail message
or attachments is strictly forbidden.

If you have received this E-mail message in error, please contact the
author and delete the message and any attachments from your computer.

You are also advised that the views and opinions expressed in this E-mail
message and any attachments are the author's own, and may not reflect the
views and opinions of FLEXTECH Television.
*****************************************************************

More information about the bind-users mailing list