Private Public DNS question

vladimirs at vladimirs at
Wed Mar 22 23:15:39 UTC 2000

Certain commercial sites ( and do not like replying to
low port # DNS queries.  The symptom is that most external DNS queries work
except for these sites.  The issue is caused by FW-1 NATing the DNS query
(which defaults from port 53) to a low port address.  Apple and WorldCom DNS
servers do not like this and the queries time out.  

The problem can be resolved by setting DNS' "Query Source Address" from the
default port of 53 to a high port, like 1053.  This setting is located under
DNS properties, Configuration (I am using Meta IP product from Checkpoint
Software Technologies). When the query hits the FW-1, it gets NATed to a
higher port address.  This works wonderfully with apple, wcom and everyone

Vladimir Sokol
Technical Consultant
Check Point Software Technologies

-----Original Message-----
From: Jared Johnson [mailto:jared.johnson at]
Sent: Wednesday, March 22, 2000 3:24 PM
To: sar1960 at
Cc: BIND Client
Subject: Re: Private Public DNS question

I posted the same problem, as well as a couple other people and a correct
answer hasn't been found to my knowledge.  It's just some sites (mine being
secure servers like and's login as well).  My solution was to put a forwarders { };
statement in the named.conf to the NS in the DMZ or at the ISP to handle
these few exceptions, but an answer would be nice.

I've checked the Firewall config (Checkpoint's FW1 patch5) and opened up
full access (temporarily) to the internal NS and it still didn't work.  And
yes, I have checked the DNS tcp and udp allow in both the preferences and
the security tabs:) and nothing gets logged either inbound or outbound.  I'm
building another server and going to try static NAT vs. hide NAT to see if
this is the problem.  Any other suggestions welcomed.

TECSTAR Inc.,  Applied Solar Division
Information Technology Support Center
Jared H. Johnson, IS Engineer

More information about the bind-users mailing list