On Mar 19, 2010, at 2:30 PM, Lightner, Jeff wrote:
> Maybe it's a difference between udp and tcp in your firewall?
>
> For most queries udp 53 is used but for long packets it might switch to
> tcp 53 - since you're doing an any you're going to get a lot more data.
Don't think so. The router's border acl just blocks spoofers and noise, and...
the router's to-inside acl:
120 permit tcp any gt 1023 host 209.97.231.218 eq domain (118155 matches)
the pix' from-outside acl:
29 permit tcp any host 209.97.231.218 eq domain (hitcnt=118062)
and the iptables filter on the host itself is turned off.
And telnet to port 53 works -- to both nameservers, from inside or outside.
...
I thought maybe the restriction to remote ports over 1023 might have been it,
so I removed it. Nope.
It seems to me that there are 3 questions: Can bind tell the difference between
inside and outside queries for T_ANY? Can the PIX? Can IOS even tell if this is
a T_ANY DNS query?
And, of course, there's the question I haven't thought of whose answer will fix
my problem...
--
Glenn English
g...@slsware.com
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
