UDP > 1024 (was: not getting it... through the firewall)

Jim Reid jim at rfc1035.com
Fri Feb 16 13:52:52 UTC 2001


>>>>> "Stefan" == Stefan Niederhauser <sn at atelier-w.ch> writes:

    Stefan> on the firewall "source udp 53 -> dest udp 53" is
    Stefan> forwarded to my server, but my isp says, it's not possible
    Stefan> to map something like "source upd 53 dest udp any" or
    Stefan> "source upd 53 dest udp > 1024", which i think would be
    Stefan> correct (?).

    Stefan> any remedies in sight?

Find an ISP that has a clue or get a better firewall. You have no
control over what source port number(s) the rest of the world will use
to query your name servers. There's nothing in the DNS protocol which
requires these to come from a particular port. Your firewall has to
let in (or NAT) UDP queries to port 53 on your server from any IP
address on the internet with any port number. And allow the answers to
go back out obviously. If your ISP can't make the firewall do that or
the firewall can't do that, change them! [Hmmm. I'm not sure it's a
good idea to have your ISP administering your firewall. How do they
know your security policy and how do you know if they're obeying it?]

Another approach would be to run split DNS and have name servers
outside your firewall advertising the public version of your zones to
the outside world. That way you avoid NAT ugliness for DNS traffic,
which is a Good Thing.


More information about the bind-users mailing list