Private Public DNS question

Barry Margolin barmar at
Thu Mar 23 00:44:21 UTC 2000

   From: "Jared Johnson" <jared.johnson at>
   Date: Wed, 22 Mar 2000 16:35:32 -0800

   They are not blocking 53, but they are blocking the other low ports for
   security purposes.  (And as stated the NAT is trying to use the other low

OK, I've seen *that* before.  I was helping a customer a few months ago,
and they had just recently upgraded their Checkpoint firewall; they could
do nslookup when they pointed to our caching nameserver, but not when they
tried to go through their own server behind the the firewall.  I figured
out what was happening when I turned on "debug ip packet" on the Internet
router and saw packets to port 53 from random low ports.  I figured out
that Checkpoint's port translation maps high ports to high ports and low
ports to low ports (presumably to solve problems with protocols like rlogin
and lpd).

I think the customer contacted Checkpoint and found a way to disable this
feature.  I don't know the specifics, because once we determined that it
was a problem with the firewall and not our Internet connection, we were
out of the loop.

Barry Margolin, barmar at
GTE Internetworking, Powered by BBN, Burlington, MA

More information about the bind-users mailing list