Private Public DNS question

Marc Lampo Marc_Lampo at
Thu Mar 23 07:23:43 UTC 2000


any chance your firewall is FW-1 and the internal DNS server's IP address falls
in a range that is "hidden" by NAT (as opposed to statically translated) ?

The thing is that when hiding NAT is employed, and the source port number is
<1024, the firewall changes the port into something between 6xx and 1024.
Apparently some name servers refuse to answer if the querying port is
priviledged but not == 53.
So :
- can you instruct the internal DNS server to query from a non-priviledged port
(option query-port in Bind8, but I guess the internal NS is not Bind8 since the
non-priviledged port is default) ?
- can you do static nat for the internal DNS server ?
- (as suggested in the other answer) let the internal DNS server forward to the
one in the DMZ.

(I'd prefer using Bind8, rather than using static NAT for this purpose.  The
forwarders sollution brings in new points of failure)

This being said : I am not aware how to instruct a name server to refuse queries
from a priviledged port != 53 (another Bind8 option ?)


Marc Lampo

sar1960 at wrote:

> I currently have an internal DNS server that supports internal queries.
> This DNS server has the Internet root servers defined in the root.cache
> file, so internal queries destined for the Internet will be resolved.  I
> have a DNS server on a DMZ(public) network that resolves queries coming from
> the Internet. The problem I have encountered is there are some names on the
> Internet that I do not get resolution using my internal DNS server  but will
> resolve using the DNS server on my DMZ.  With a sniffer on the DMZ I see the
> DNS request leaving my internal network bound for the name server that is
> authoritive for the request but I get no response.  If the query comes from
> the DNS server on the DMZ it resovles. Any explaination would be a great
> help.
> --
> Steve Redmond
> steve.redmond at

More information about the bind-users mailing list