Am Mon, 09 Aug 2010 14:08:26 +0200 schrieb Wolfgang Solfrank <wolfg...@solfrank.net>:
> >>> Allow bind to use as wide a range of port numbers as possible for > >>> UDP traffic. > > > > On 09.08.10 17:14, Shiva Raman wrote: > >> Yes this is allowed in the firewall. > > > > note that bind also should not have "port" potion in query-source > > statement. > > In addition, be carefull with the use of NAT on your firewall. This > will probably unrandomize the port numbers on your outgoing requests. > > Ciao, > Wolfgang Port deviation could easily be tested via porttest.dns-oarc.net dig +short @127.0.0.1 porttest.dns-oarc.net txt porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. "195.180.9.198 is GREAT: 53 queries in 9.1 seconds from 53 ports with std dev 19687" Every result other than "GREAT" should alert you. Also, checking wether DNSSEC is working or not, send a recursing querie to your resolver and check the returned flags for ad. [t...@daddelkiste ~]$ dig +dnssec @127.0.0.1 iis.se a ; <<>> DiG 9.6.2-P2-RedHat-9.6.2-5.P2.fc12 <<>> +dnssec @127.0.0.1 iis.se a ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12422 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;iis.se. IN A ;; ANSWER SECTION: iis.se. 21 IN A 212.247.7.218 iis.se. 21 IN RRSIG A 5 2 60 20100815115001 20100805115001 53249 iis.se. pWMYsqufhD4RkHX6IltLOcxMob3rNpc1+UnXZKgOMsO5HgbtIjALoq9+ ReqKziKev3PiEBLNdqrxT95TVlzVb7qgnLmlHABsap7m2uzuHFQKsFmh RGxqpiuzu9bPEIfZKout4TmzILaP1Nua4ntSXyyjS35EUszfX+F/Mqrm fcc= ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Aug 9 14:35:37 2010 ;; MSG SIZE rcvd: 217 Ciao Torsten _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users