Dear All,
 
When i executed #dig www.dubaiairport.com, i am getting bleow response 
 ;<<>> DiG 9.3.4-P1 <<>> www.dubaiairport.com
;; global options:  printcmd
;; connection timed out; no servers could be reached
 
 When i checked the firewall logs, as you all confirmed, traffic is leaving 
from both non standard and standard port. But firewall logs clearly shows that 
traffic from source port =53 and its getting dropped. But other DNS traffic 
towards various domains also going with source port 53 for which we have no 
issue.
 
 Is this port restriction done at remote domain firewall?
 Is there any way to enforce non standard port for this domain query at our 
BIND level from our side?
 
 
Mar 21 21:50:26 start_time="2012-03-21 21:47:54" duration=151 policy_id=20 
service=dns proto=17 src zone=Inter-Connect dst zone=External action=Permit 
sent=403 rcvd=0 src=10.1.1.1 dst=213.42.52.75 src_port=53 dst_port=53 
src-xlated ip=10.1.1.1 port=53 dst-xlated ip=213.42.52.75 port=53 
session_id=512159 reason=Close - AGE OUT
 
Mar 21 21:50:46 start_time="2012-03-21 21:49:15" duration=90 policy_id=24 
service=dns proto=17 src zone=Inter-Connect dst zone=External action=Permit 
sent=927 rcvd=0 src=10.1.1.1 dst=213.42.52.79 src_port=53 dst_port=53 
src-xlated ip=10.1.1.1 port=53 dst-xlated ip=213.42.52.75  port=53 
session_id=451904 reason=Close - AGE OUT

Regards
Babu


________________________________
From: Matus UHLAR - fantomas <uh...@fantomas.sk>
To: bind-users@lists.isc.org 
Sent: Wednesday, 21 March 2012 11:41 AM
Subject: Re: Name Resolution issue with one domain

On 21.03.12 09:23, Mark Andrews wrote:
>Stupid firewall rules in front of the nameservers.  They block
>traffic sent from port 53 which is the port lots of nameservers
>used to send query traffic.  When will firewall administrators learn
>that the source ports can be anything, that they are not significant,
>and that blocking traffic based on the source port is stupid.

maybe the admin set that up to force local servers using random ports, 
instead of 53, for outgoing requests. Nobody should use port 53 for 
_ougtoing_ requests.

>bsdi# dig -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com
>09:13:17.909493 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? 
>www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
>09:13:22.918018 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? 
>www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
>09:13:27.928099 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? 
>www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
>
>; <<>> DiG 9.9.0rc2 <<>> -b 0.0.0.0#53 www.dubaiairport.com 
>@svr-b003.dubaiairport.com
>;; global options: +cmd
>;; connection timed out; no servers could be reached
>bsdi#

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of. 
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to