T_ANY
Kevin Oberman
oberman at es.net
Fri Mar 19 21:35:01 UTC 2010
> From: Glenn English <ghe at slsware.com>
> Date: Fri, 19 Mar 2010 15:15:38 -0600
> Sender: bind-users-bounces+oberman=es.net at lists.isc.org
>
>
> On Mar 19, 2010, at 2:30 PM, Lightner, Jeff wrote:
>
> > Maybe it's a difference between udp and tcp in your firewall?
> >
> > For most queries udp 53 is used but for long packets it might switch to
> > tcp 53 - since you're doing an any you're going to get a lot more data.
>
> Don't think so. The router's border acl just blocks spoofers and noise, and...
>
> the router's to-inside acl:
> 120 permit tcp any gt 1023 host 209.97.231.218 eq domain (118155 matches)
>
> the pix' from-outside acl:
> 29 permit tcp any host 209.97.231.218 eq domain (hitcnt=118062)
>
> and the iptables filter on the host itself is turned off.
>
> And telnet to port 53 works -- to both nameservers, from inside or outside.
>
> ...
>
> I thought maybe the restriction to remote ports over 1023 might have
> been it, so I removed it. Nope.
>
> It seems to me that there are 3 questions: Can bind tell the
> difference between inside and outside queries for T_ANY? Can the PIX?
> Can IOS even tell if this is a T_ANY DNS query?
>
> And, of course, there's the question I haven't thought of whose answer
> will fix my problem...
PIX, you say? They used to have a problem with DNS UDP packets over 512
bytes. (Well, it didn't have a "problem", it just blocked them. I'm not
sure what, if any code version fixes this. (I don't have any these days.)
If this has not been fixed, that might explain it.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
More information about the bind-users
mailing list