Odd firewall and resolver issues
Chris Bauer
cbauer at mco.edu
Thu Aug 1 21:36:42 UTC 2002
Yup, I'll have to eat crow on that. I must have set the class type or
something and switched to ns-ext.vix.com, or I was using my Win2k box,
which seems to not report a "No answer" message.
I am getting some packet traces now though of other machines hitting
the firewall instead of DNS. I've attached a very small sample I got
from snoop. Still trying to figure out why it's gettig hit in the first
place.
-Chris
>>> Pete Ehlke <pde at ehlke.net> 08/01/02 04:53PM >>>
On Thu, Aug 01, 2002 at 02:59:43PM -0400, Chris Bauer wrote:
>
> I'm having a problems with certain domains trying to resolve
addresses
> for hosts on the mco.edu domain. I have rules set up for DNS traffic
> to
> talk to the nameservers, however, there are some nameservers I
notice
> that insist on querying the firewall instead of the nameservers
> (ns-ext.vix.com is ns1.accesstoledo.com for instance). I'm not sure
why
> this is, since
> I've never had it referenced in NS or SOA records for the domain.
>
ns-ext.vix.com does not offer recursion to the outside world, and as
far
as I know it doesn't act as a resolver for any vix/isc/etc hosts
either,
so I find your claim that it is querying *any* server you operate,
much
less querying your firewall instead of the server it protects to be
somewhat dubious. Do you have log file entries? I suspect you're
seeing
something else entirely and misinterpreting it.
-Pete
-- Binary/unsupported file stripped by Ecartis --
-- Type: application/octet-stream
-- File: dns_err
More information about the bind-users
mailing list