firewall blocking 53

Armin Safarians armin.safarians at safeway.com
Wed Aug 7 17:52:01 UTC 2002


That would certainly let me set my port I query from, however reading
the bind book it says that if query-source is not used, it would then
use a random unprivileged port. My issue is that it uses the same one
for all of its queries... The network folk expect random port sending
those queries... ?????


AMS :-)

-----Original Message-----
From: David Botham [mailto:dns at botham.net] 
Sent: Wednesday, August 07, 2002 10:35 AM
To: 'Armin Safarians'
Cc: 'bind users'
Subject: RE: firewall blocking 53



Or maybe you could investigate the query-source option in named.conf.
You should find the details in the ARM or man page for named.conf...


Dave...
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On 
> Behalf Of Pete Ehlke
> Sent: Wednesday, August 07, 2002 1:23 PM
> To: Armin Safarians
> Cc: bind users
> Subject: Re: firewall blocking 53
> 
> 
> On Wed, Aug 07, 2002 at 09:54:36AM -0700, Armin Safarians wrote:
> >
> > Any ideas..?
> > AMS :-)
> 
> Well, I'd say this is either a... ummm... feature... of Firewall-1, or

> your firewall is poorly configured. If it's dynamically blocking ports

> based on the fact that some outbound connections time out, then you'll

> have to either configure it not to do that, or deal with the 
> consequences.
> 
> -P.
> 
> >
> > -----Original Message-----
> > From: Armin M. Safarians [mailto:armin.safarians at safeway.com]
> > Sent: Monday, August 05, 2002 3:59 PM
> > To: bind users
> > Subject:
> >
> >
> > All --
> > Problem:   CheckPoint firewall blocking dns traffic.
> >
> >    IT seems like bind generates queries on the same
> > high port (source) to port 53 (destination). Every time
> > I bounce bind, it start it's queries from a new high
> > port (source) to port 53 (destination). This high port stays the 
> > same until the next bounce.
> >
> >    When the firewall sees a delay of more than 40
> > seconds, it blocks all replies back to this high port.
> > When I bounce bind, the new high port will work since
> > there is no block.
> >
> >     I hope this is not too confusing. Please shed some light if you 
> > get the basic problem here.
> >
> 
> > AMS :-)
> >



"WorldSecure Server <safeway.com>" made the following
 annotations on 08/07/02 12:06:43
------------------------------------------------------------------------------
Warning: 
All e-mail sent to this address will be received by the Safeway corporate e-mail system, and is subject to archival and review by someone other than the recipient.  This e-mail may contain information proprietary to Safeway and is intended only for the use of the intended recipient(s).  If the reader of this message is not the intended recipient(s), you are notified that you have received this message in error and that any review, dissemination, distribution or copying of this message is strictly prohibited.  If you have received this message in error, please notify the sender immediately. 
  

==============================================================================



More information about the bind-users mailing list