Name Resolution issue with one domain

Matus UHLAR - fantomas uhlar at fantomas.sk
Wed Mar 21 08:41:59 UTC 2012


On 21.03.12 09:23, Mark Andrews wrote:
>Stupid firewall rules in front of the nameservers.  They block
>traffic sent from port 53 which is the port lots of nameservers
>used to send query traffic.  When will firewall administrators learn
>that the source ports can be anything, that they are not significant,
>and that blocking traffic based on the source port is stupid.

maybe the admin set that up to force local servers using random ports, 
instead of 53, for outgoing requests. Nobody should use port 53 for 
_ougtoing_ requests.

>bsdi# dig -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com
>09:13:17.909493 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
>09:13:22.918018 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
>09:13:27.928099 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
>
>; <<>> DiG 9.9.0rc2 <<>> -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com
>;; global options: +cmd
>;; connection timed out; no servers could be reached
>bsdi#

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of. 



More information about the bind-users mailing list