port address translation
Mark_Andrews at iengines.com
Mark_Andrews at iengines.com
Mon Nov 29 12:16:48 UTC 1999
While he has got the port number wrong (it should be 53
for DNS) what he is saying about IP filtering rules is
correct.
If you advertise a nameserver to the world you are expected
to accept DNS queries from ANY port (both TCP and UDP) not
just port 53.
Mark
> I got this from the admin at another site that can't see my site. When
> one of their users tries to get to my site (mail, www, ftp), it's like
> it is completely down. Their traceroutes to us go nowhere, and we see
> no packets coming in from them. Noone else has this problem getting to
> my site. I run BIND 4 on Solaris. I run dns on 53 and smtp on 25.
>
> What RFCs is this guy talking about? I looked through them, and nothing
> seemed to apply.
>
> > The problem is that we do PAT on our firewall and when you request a
> dns
> > resolution to zzz.com it sends the request out with a src port of
> > anywhere between 5000-65000. Standard DNS request are normally src'ed
> with
> > port 25. It is apparent that zzz.com considers dns request src'ed with
> > anything but port 25 a security risk. This is the same Issue that we
> had
> > with apple.com, worldcom.com...at that time it was
> > considered an issue with the vendors and if they chose not to comply
> with
> > RFC's that govern PAT protocol it would be their choice.
>
>
>
>
> * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
> The fastest and easiest way to search and participate in Usenet - Free!
>
--
Mark Andrews, Internet Engines Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at iengines.com
More information about the bind-users
mailing list