Private Public DNS question

vladimirs at metaip.checkpoint.com vladimirs at metaip.checkpoint.com
Wed Mar 22 23:15:39 UTC 2000


Certain commercial sites (apple.com and wcom.com) do not like replying to
low port # DNS queries.  The symptom is that most external DNS queries work
except for these sites.  The issue is caused by FW-1 NATing the DNS query
(which defaults from port 53) to a low port address.  Apple and WorldCom DNS
servers do not like this and the queries time out.  

The problem can be resolved by setting DNS' "Query Source Address" from the
default port of 53 to a high port, like 1053.  This setting is located under
DNS properties, Configuration (I am using Meta IP product from Checkpoint
Software Technologies). When the query hits the FW-1, it gets NATed to a
higher port address.  This works wonderfully with apple, wcom and everyone
else.

Vladimir Sokol
Technical Consultant
Check Point Software Technologies


-----Original Message-----
From: Jared Johnson [mailto:jared.johnson at tecstar.com]
Sent: Wednesday, March 22, 2000 3:24 PM
To: sar1960 at mindspring.com
Cc: BIND Client
Subject: Re: Private Public DNS question


I posted the same problem, as well as a couple other people and a correct
answer hasn't been found to my knowledge.  It's just some sites (mine being
secure servers like www.pcbanking.washingtonmutual.com/logon/ and
schwab.com's login as well).  My solution was to put a forwarders { };
statement in the named.conf to the NS in the DMZ or at the ISP to handle
these few exceptions, but an answer would be nice.

I've checked the Firewall config (Checkpoint's FW1 patch5) and opened up
full access (temporarily) to the internal NS and it still didn't work.  And
yes, I have checked the DNS tcp and udp allow in both the preferences and
the security tabs:) and nothing gets logged either inbound or outbound.  I'm
building another server and going to try static NAT vs. hide NAT to see if
this is the problem.  Any other suggestions welcomed.

TECSTAR Inc.,  Applied Solar Division
Information Technology Support Center
Jared H. Johnson, IS Engineer





More information about the bind-users mailing list