udp packets and firewalls

Jim Reid jim at rfc1035.com
Wed May 31 08:30:10 UTC 2000


>>>>> "Wayne" == Wayne Vigeant <wvigeant at ma.ultranet.com> writes:

    Wayne> I'm currently working with a customer who has a single
    Wayne> Internet access point. The customer's firewall allows dns
    Wayne> queries from the Internet to pass through to an internal
    Wayne> nameserver.  The customer wants to add a second Internet
    Wayne> access point and allow dns queries to pass through both of
    Wayne> the Internet access points.

    Wayne> Does the nameserver making the query care if the reply
    Wayne> follows the same path as the query? It would appear not to
    Wayne> matter but I just want to be sure bind doesn't care.

Unless some application switches on the IP-level record route option
there's no way of knowing which paths packets have taken other than
for the trivial cases. And even that option is limited to a maximum
hop count of 9. [pp 252-254 of TCP/IP Illustrated, V2.] The name
server doesn't set or use this option. AFAIK, ping is the only program
which uses this.



More information about the bind-users mailing list