<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div style="RIGHT: auto"><SPAN style="RIGHT: auto"><STRONG>Dear All,</STRONG><BR> <BR>When i executed #dig <A href="http://www.dubaiairport.com">www.dubaiairport.com</A>, i am getting bleow response </SPAN></div>
<div style="RIGHT: auto"><SPAN style="RIGHT: auto"></SPAN> </div><SPAN style="RIGHT: auto">
<div style="RIGHT: auto">;<FONT style="BACKGROUND-COLOR: #ff007f"> <<>> DiG 9.3.4-P1 <<>> </FONT><A href="http://www.dubaiairport.com"><FONT style="BACKGROUND-COLOR: #ff007f">www.dubaiairport.com</FONT></A><BR><FONT style="BACKGROUND-COLOR: #ff007f">;; global options: printcmd<BR>;; connection timed out; no servers could be reached</FONT></div>
<div style="RIGHT: auto"><FONT style="BACKGROUND-COLOR: #ff007f"></FONT> </div>
<div style="RIGHT: auto"> When i checked the firewall logs, as you all confirmed, traffic is leaving from both non standard and standard port. But firewall logs clearly shows that traffic from source port =53 and its getting dropped. But other DNS traffic towards various domains also going with source port 53 for which we have no issue.</div>
<div style="RIGHT: auto"> </div>
<div style="RIGHT: auto"> Is this port restriction done at remote domain firewall?<BR> Is there any way to enforce non standard port for this domain query at our BIND level from our side?</div>
<div style="RIGHT: auto"> </div>
<div style="RIGHT: auto"> </div>
<div style="RIGHT: auto"><FONT style="BACKGROUND-COLOR: #ff409f">Mar 21 21:50:26 start_time="2012-03-21 21:47:54" duration=151 policy_id=20 service=dns proto=17 src zone=Inter-Connect dst zone=External action=Permit sent=403 rcvd=0 src=10.1.1.1 dst=213.42.52.75 src_port=53 dst_port=53 src-xlated ip=10.1.1.1 port=53 dst-xlated ip=213.42.52.75 port=53 session_id=512159 reason=Close - AGE OUT</FONT></div>
<div style="RIGHT: auto"><FONT style="BACKGROUND-COLOR: #ff409f"></FONT> </div>
<div style="RIGHT: auto"><FONT style="BACKGROUND-COLOR: #ff409f; RIGHT: auto">Mar 21 21:50:46 start_time="2012-03-21 21:49:15" duration=90 policy_id=24 service=dns proto=17 src zone=Inter-Connect dst zone=External action=Permit sent=927 rcvd=0 src=10.1.1.1 dst=213.42.52.79 src_port=53 dst_port=53 src-xlated ip=10.1.1.1 port=53 dst-xlated ip=213.42.52.75 port=53 session_id=451904 reason=Close - AGE OUT<BR></FONT><BR style="RIGHT: auto" class=yui-cursor>Regards</div>
<div style="RIGHT: auto">Babu</div></SPAN>
<div><BR></div>
<DIV style="FONT-FAMILY: times new roman, new york, times, serif; FONT-SIZE: 12pt">
<DIV style="FONT-FAMILY: times new roman, new york, times, serif; FONT-SIZE: 12pt">
<DIV dir=ltr><FONT size=2 face=Arial>
<DIV style="BORDER-BOTTOM: #ccc 1px solid; BORDER-LEFT: #ccc 1px solid; PADDING-BOTTOM: 0px; LINE-HEIGHT: 0; MARGIN: 5px 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; HEIGHT: 0px; FONT-SIZE: 0px; BORDER-TOP: #ccc 1px solid; BORDER-RIGHT: #ccc 1px solid; PADDING-TOP: 0px" class=hr contentEditable=false readonly="true"></DIV><B><SPAN style="FONT-WEIGHT: bold">From:</SPAN></B> Matus UHLAR - fantomas <uhlar@fantomas.sk><BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B> bind-users@lists.isc.org <BR><B><SPAN style="FONT-WEIGHT: bold">Sent:</SPAN></B> Wednesday, 21 March 2012 11:41 AM<BR><B><SPAN style="FONT-WEIGHT: bold">Subject:</SPAN></B> Re: Name Resolution issue with one domain<BR></FONT></DIV><BR>On 21.03.12 09:23, Mark Andrews wrote:<BR>>Stupid firewall rules in front of the nameservers. They block<BR>>traffic sent from port 53 which is the port lots of nameservers<BR>>used to send query traffic. When will firewall
administrators learn<BR>>that the source ports can be anything, that they are not significant,<BR>>and that blocking traffic based on the source port is stupid.<BR><BR>maybe the admin set that up to force local servers using random ports, <BR>instead of 53, for outgoing requests. Nobody should use port 53 for <BR>_ougtoing_ requests.<BR><BR>>bsdi# dig -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com<BR>>09:13:17.909493 211.30.172.21.53 > 213.42.52.75.53: 18071+$ [1au] A? www.dubaiairport.com. ar: OPT UDPsize=4096 (49)<BR>>09:13:22.918018 211.30.172.21.53 > 213.42.52.75.53: 18071+$ [1au] A? www.dubaiairport.com. ar: OPT UDPsize=4096 (49)<BR>>09:13:27.928099 211.30.172.21.53 > 213.42.52.75.53: 18071+$ [1au] A? www.dubaiairport.com. ar: OPT UDPsize=4096 (49)<BR>><BR>>; <<>> DiG 9.9.0rc2 <<>> -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com<BR>>;; global
options: +cmd<BR>>;; connection timed out; no servers could be reached<BR>>bsdi#<BR><BR>-- <BR>Matus UHLAR - fantomas, <A href="mailto:uhlar@fantomas.sk" ymailto="mailto:uhlar@fantomas.sk">uhlar@fantomas.sk</A> ; <A href="http://www.fantomas.sk/" target=_blank>http://www.fantomas.sk/</A><BR>Warning: I wish NOT to receive e-mail advertising to this address.<BR>Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.<BR>Quantum mechanics: The dreams stuff is made of. <BR>_______________________________________________<BR>Please visit <A href="https://lists.isc.org/mailman/listinfo/bind-users" target=_blank>https://lists.isc.org/mailman/listinfo/bind-users</A> to unsubscribe from this list<BR><BR>bind-users mailing list<BR><A href="mailto:bind-users@lists.isc.org" ymailto="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</A><BR><A href="https://lists.isc.org/mailman/listinfo/bind-users"
target=_blank>https://lists.isc.org/mailman/listinfo/bind-users</A><BR><BR><BR></DIV></DIV></div></body></html>