Private Public DNS question

Jared Johnson jared.johnson at
Thu Mar 23 00:35:32 UTC 2000

Actually, I've found this to be true on Checkpoints website (after knowing
what to look for).  It seems the NAT for port 53 will be given an open low
port (<1024) which isn't being liked by other nameservers. is
another site that i've the same problem with.  Thanks for the answer.  I've
also called Checkpoint support and verified they have verified this to be
true.  They gave the same solution.

> In article <B5C5D2CDB8BCD2118E4800A0C9D8E4C7B2A9DA at>,
>  <vladimirs at> wrote:
> >Certain commercial sites ( and do not like replying to
> >low port # DNS queries.  The symptom is that most external DNS queries
> >except for these sites.  The issue is caused by FW-1 NATing the DNS query
> >(which defaults from port 53) to a low port address.  Apple and WorldCom
> >servers do not like this and the queries time out.
> >
> >The problem can be resolved by setting DNS' "Query Source Address" from
> >default port of 53 to a high port, like 1053.  This setting is located
> >DNS properties, Configuration (I am using Meta IP product from Checkpoint
> >Software Technologies). When the query hits the FW-1, it gets NATed to a
> >higher port address.  This works wonderfully with apple, wcom and
> >else.

They are not blocking 53, but they are blocking the other low ports for
security purposes.  (And as stated the NAT is trying to use the other low

> This seems very strange.  The purpose of "query-source port 53" is to make
> BIND 8 act like BIND 4 did.  If what you're saying is true, sites that are
> still using BIND 4 nameservers (if not the majority, certainly a large
> number) would not be able to look up names in those domains.  I think this
> is extremely unlikely, especially for a high-visibility site like

More information about the bind-users mailing list