root-servers hitting my firewall

Mark_Andrews at isc.org Mark_Andrews at isc.org
Thu Jan 9 04:01:43 UTC 2003 

> Hi all !
> 
> i am getting a bit frustrated with the following problem;
> Maybe a somewhat stupid questions but i could not find the answer in here
> myself nor by googl'ing the internet ..
> 
> A have ICS bind9 running on a linux box behind a firewall. it is only used
> internally as a forwarding/cache-ing dns
> 
> it has worked fine so far for a few weeks now :)
> 
> this box uses an excisting domain say ' myhome.com  ' wich is mine, it
> existing from the outside and also point to this box ..
> the trouble is that often the root-servers seem to hit the firewall of that
> same box with say 100's 'replies' (?) in a few seconds.
> This does not only happen when i query my own domainname from the inside ..
> it happens a lot ..
> My firewall only allows replies from the 2 forewarders that er specified in
> the named.conf.
> 
> like this:
> 
> Jan 9 08:27:37 kernel: Packet log: input DENY eth1 PROTO=17
> 192.203.230.10:53 192.168.1.2:32971
> this is E.ROOT-SERVERS.NET [192.203.230.10]
> 
> I offcourse don't want to give all the root-servers 'access' trough from my
> firewall .. it seems even silly
> 
> - is this normal bejavior of dns or because of a mis-configuration ?
> - are this hits on my fiirewall a result of my bind trying to resolv itself
> somehow ?
> 
> 
> this is my named setup (the part that matters anyway)
> 
> // General options
> 
> options {
>         forwarders { 194.134.5.5; 194.134.0.97; };
>         directory "/var/named";
>         listen-on { 127.0.0.1; 192.168.0.100; };
> }
> 
> Any help is very much apreciated !

	Set "forward only;" the default is "forward first;".

	Also your firewall is poorly configured if it allows out
	traffic but doesn't allow reply traffic back in (this
	includes ICMP traffic).  It sounds like you have been
	inadvertently been pounding on the root servers (and I presume
	other servers) as a result.

	Mark

> Mario
> 
> 
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list