T_ANY

[Glenn English]

On Mar 19, 2010, at 2:30 PM, Lightner, Jeff wrote:

> Maybe it's a difference between udp and tcp in your firewall?  
> 
> For most queries udp 53 is used but for long packets it might switch to
> tcp 53 - since you're doing an any you're going to get a lot more data.

Don't think so. The router's border acl just blocks spoofers and noise, and... 

the router's to-inside acl:
    120 permit tcp any gt 1023 host 209.97.231.218 eq domain (118155 matches)

the pix' from-outside acl:
    29 permit tcp any host 209.97.231.218 eq domain (hitcnt=118062) 

and the iptables filter on the host itself is turned off.

And telnet to port 53 works -- to both nameservers, from inside or outside.

...

I thought maybe the restriction to remote ports over 1023 might have been it, so I removed it. Nope. 

It seems to me that there are 3 questions: Can bind tell the difference between inside and outside queries for T_ANY? Can the PIX? Can IOS even tell if this is a T_ANY DNS query?

And, of course, there's the question I haven't thought of whose answer will fix my problem...

-- 
Glenn English
ghe at slsware.com