Dear All,
When i executed #dig www.dubaiairport.com, i am getting bleow response
;<<>> DiG 9.3.4-P1 <<>> www.dubaiairport.com
;; global options: printcmd
;; connection timed out; no servers could be reached
When i checked the firewall logs, as you all confirmed, traffic is leaving
from both non standard and standard port. But firewall logs clearly shows that
traffic from source port =53 and its getting dropped. But other DNS traffic
towards various domains also going with source port 53 for which we have no
issue.
Is this port restriction done at remote domain firewall?
Is there any way to enforce non standard port for this domain query at our
BIND level from our side?
Mar 21 21:50:26 start_time="2012-03-21 21:47:54" duration=151 policy_id=20
service=dns proto=17 src zone=Inter-Connect dst zone=External action=Permit
sent=403 rcvd=0 src=10.1.1.1 dst=213.42.52.75 src_port=53 dst_port=53
src-xlated ip=10.1.1.1 port=53 dst-xlated ip=213.42.52.75 port=53
session_id=512159 reason=Close - AGE OUT
Mar 21 21:50:46 start_time="2012-03-21 21:49:15" duration=90 policy_id=24
service=dns proto=17 src zone=Inter-Connect dst zone=External action=Permit
sent=927 rcvd=0 src=10.1.1.1 dst=213.42.52.79 src_port=53 dst_port=53
src-xlated ip=10.1.1.1 port=53 dst-xlated ip=213.42.52.75 port=53
session_id=451904 reason=Close - AGE OUT
Regards
Babu
________________________________
From: Matus UHLAR - fantomas <uh...@fantomas.sk>
To: bind-users@lists.isc.org
Sent: Wednesday, 21 March 2012 11:41 AM
Subject: Re: Name Resolution issue with one domain
On 21.03.12 09:23, Mark Andrews wrote:
>Stupid firewall rules in front of the nameservers. They block
>traffic sent from port 53 which is the port lots of nameservers
>used to send query traffic. When will firewall administrators learn
>that the source ports can be anything, that they are not significant,
>and that blocking traffic based on the source port is stupid.
maybe the admin set that up to force local servers using random ports,
instead of 53, for outgoing requests. Nobody should use port 53 for
_ougtoing_ requests.
>bsdi# dig -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com
>09:13:17.909493 211.30.172.21.53 > 213.42.52.75.53: 18071+$ [1au] A?
>www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
>09:13:22.918018 211.30.172.21.53 > 213.42.52.75.53: 18071+$ [1au] A?
>www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
>09:13:27.928099 211.30.172.21.53 > 213.42.52.75.53: 18071+$ [1au] A?
>www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
>
>; <<>> DiG 9.9.0rc2 <<>> -b 0.0.0.0#53 www.dubaiairport.com
>@svr-b003.dubaiairport.com
>;; global options: +cmd
>;; connection timed out; no servers could be reached
>bsdi#
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
