Private Public DNS question
Barry Margolin
barmar at bbnplanet.com
Thu Mar 23 00:44:21 UTC 2000
From: "Jared Johnson" <jared.johnson at tecstar.com>
Date: Wed, 22 Mar 2000 16:35:32 -0800
They are not blocking 53, but they are blocking the other low ports for
security purposes. (And as stated the NAT is trying to use the other low
ports)
OK, I've seen *that* before. I was helping a customer a few months ago,
and they had just recently upgraded their Checkpoint firewall; they could
do nslookup when they pointed to our caching nameserver, but not when they
tried to go through their own server behind the the firewall. I figured
out what was happening when I turned on "debug ip packet" on the Internet
router and saw packets to port 53 from random low ports. I figured out
that Checkpoint's port translation maps high ports to high ports and low
ports to low ports (presumably to solve problems with protocols like rlogin
and lpd).
I think the customer contacted Checkpoint and found a way to disable this
feature. I don't know the specifics, because once we determined that it
was a problem with the firewall and not our Internet connection, we were
out of the loop.
--
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
More information about the bind-users
mailing list