RE: [PLUG] Re: FW: BIND troubleshooting / help

kaze on Wed, 6 Aug 2003 21:56:08 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

RE: [PLUG] Re: FW: BIND troubleshooting / help

From: "kaze" <kaze@voicenet.com>

To: <plug@lists.phillylinux.org>

Subject: RE: [PLUG] Re: FW: BIND troubleshooting / help

Date: Wed, 6 Aug 2003 21:51:50 -0400

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

<snip> --> > Yeah, it's been open, even all the way to the outside - but --> does it block --> > outgoing somehow? Or is some reply blocked, I know on the --> Cisco ACL you have --> > to allow from anyone to port 53, and from anyone's port 53 to --> ports over 53 --> > on tcp and udp. I'm probably reaching and just screwed --> something basic up... --> --> I do not understand your question. You say it is open but then --> you seem to think --> it is blocked. zone transfers are by default done via port 53 --> tcp. Most other --> dns things are 53 udp. You seem to know this but at teh same --> time you do not --> seem sure, so I mentioned it again for clarity. From your trace --> in the previous --> message it looks to me like you have something blocked. It is --> hard to tell for --> sure without sniffing the packets with tcpdump or something. --> You do not have --> iptables turned on, on the nameservers so you?? --> --> -- --> ......Tom I think it was a little early in the morning for me to post. On the Cisco IOS ACL 'firewall' I have in part: access-list 100 permit udp any eq domain host 146.145.39.211 gt 1023 access-list 100 permit udp any host 146.145.39.211 eq domain access-list 100 permit tcp any host 146.145.39.211 eq domain Where 146.145.39.211 is the external address of ns1 then NAT'ed to 10.10.10.211. So: any IP with tcp port 53 allowed to ns1's IP with a port > 1023 any IP with and UDP allowed to ns1's IP with port 53 any IP with and TCP allowed to ns1's IP with port 53 I'm not 100% sure about it but I think unlike a web browser sending a request out to the server and the server sending the data back on the same 'established' connection, with DNS the 'question' and 'answer' are separate sockets and separate connections so you have to set up another rule to allow for this. _________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

References:

[PLUG] Re: FW: BIND troubleshooting / help
From: Tom Diehl <tdiehl@rogueind.com>

Prev by Date: RE: [PLUG] Re: FW: BIND troubleshooting / help

Next by Date: Re: [PLUG] Discuss at Tonight's meeting

Previous by thread: Re: [PLUG] Re: FW: BIND troubleshooting / help

Next by thread: [PLUG] Re: FW: BIND troubleshooting / help

Index(es):

Date

Thread