Bind and firewall
barmar at genuity.net
Mon Oct 8 22:45:49 UTC 2001
In article <9pt9m2$pj5 at pub3.rc.vix.com>,
Charles Bodley <bodley at tflogic.com> wrote:
>where would that be set? The outside wold sends a request to port 53 of
It would be set in the named.conf file on your nameserver.
>18.104.22.168 (sorry put the old IP in previose post. That is the correct
>one.) Those should be forwarded to the internal IP of the same port and a
>response sent. According to the firewall admin it is not blocking outgoing
>ports so that should not be the problem. Can I telnet to that port and issue
>commands to the server? If so what commands do I use? The firewall is a
>BigIP load balencer by f5 networks, in case anyone knows of a problem with
When you're resolving outside names, the outside world isn't sending to
you, they're replying to you. By default, BIND lets the OS select a random
source port for its queries. But if you only open port 53 back in, you
have to tell BIND to use that source port.
>From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
>Behalf Of Barry Margolin
>Sent: Monday, October 08, 2001 5:54 PM
>To: comp-protocols-dns-bind at moderators.isc.org
>Subject: Re: Bind and firewall
>In article <9pt757$p7h at pub3.rc.vix.com>,
>Charles Bodley <bodley at tflogic.com> wrote:
>>I currently have a redhat 7.1 bind 9.1.2 Behind a firewall. I have
>>port 53 both tcp and udp from the external IP 22.214.171.124 to the
>>internal 192.168.5.50. Even with the port forwarded I cannot get bind to
>>resolve anything. Just as a test I'm resolving hp.com. this works from
>>boxes on 192 network but not from the external IP. Can anyone think of what
>Do you have the option 'query-source * port 53' configured?
>Barry Margolin, barmar at genuity.net
>Genuity, Woburn, MA
>*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
>Please DON'T copy followups to me -- I'll assume it wasn't posted to the
Barry Margolin, barmar at genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users