unable to resolve one specific domain (hotmail.co.uk)

[Mark Andrews]

> Thanks for the update. I've been at least acknowledged by msnhst at microsoft.co
> m, they're looking into it - I will include this information in my report to 
> them, as the primary reason we set query-source address to 53 is that we had 
> problems with some nameservers that didn't allow non-privileged ports to quer
> y (probably a legacy issue). 

	There are lots of badly constructed firewalls.

	Some block source port != 53
	Some block source port < 1024
	Some block source port 1024-1030 (rpc ports)
	Some block source port ~7000 (irc ports)
 
	If you have a nameserver you should allow traffic to port 53
	on the nameserver regardless of the source port.  It should
	also allow reply trafffic to any destination port.

	With a first match firewall you should have rules like:

	state-full firewall
		check-state			   ; allow inbound replies
		allow any to nameserver 53 in	   ; allow inbound queries
		allow nameserver 53 to any out	   ; allow replies
		allow any to any 53 out keep-state ; allow outbound queries
		<put your general blocks here>

	state-less firewall (query-source port 53)
		allow tcp established
		allow any to nameserver 53 in	   ; allow inbound queries and
						   ; inbound replies
		allow nameserver 53 to any out	   ; allow replies
		allow udp any 53 to any 53 out 	   ; allow outbound queries
		<put your general blocks here>

	If you are worried about too much state being kept with the state-full
	firewall you can do it as a state-less firewall for the recursive
	servers by inserting a rule like this before the keep-state rule

		allow udp <recursive server> 53 to any 53 out

	Named has a built in list of ports for which it will not
	responed to with error messages.  It will also not reply
	to responses.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org