Ipchains - Bind - Resolution Inconsistencies

J Laub laubj at lakesoft.net
Thu Oct 2 19:15:45 UTC 2003


Sorry - good idea though.  Thankx

Barry Margolin wrote:
> In article <blho20$s4j$1 at sf1.isc.org>, J Laub  <laubj at lakesoft.net> wrote:
> 
>>Hello,
>>
>>We are are experiencing an odd problem with the use of ipchains and 
>>bind.  When the firewall is active, several name servers are totally 
>>unable to resolve any names on our dns.  When the firewall is stopped 
>>all dns is resolved with incident.  Am I doing something wrong?  Does 
>>bind use any other odd ports?
>>
>>This should accept from external to fw:??
>>
>>ipchains -A input -i eth1 -s ! 10.0.0.x 1024:65535 -d 199.86.44.xxx 53 
>>-p udp -j ACCEPT
>>
>>ipchains -A output -i eth1 -s 199.86.44.xxx 53 -d ! 10.0.0.x 1024:65535 
>>-p udp -j ACCEPT
> 
> 
> I think 1024:65535 may be the problem.  BIND 4 uses source port 53 when it
> sends out queries.  And many sites with BIND 8 or 9 have it configured to
> use this source port as well, because they configured their firewalls to
> only allow inbound UDP to this port.
> 



More information about the bind-users mailing list