On 21.03.12 09:23, Mark Andrews wrote:
Stupid firewall rules in front of the nameservers. They block
traffic sent from port 53 which is the port lots of nameservers
used to send query traffic. When will firewall administrators learn
that the source ports can be anything, that they are not significant,
and that blocking traffic based on the source port is stupid.
maybe the admin set that up to force local servers using random ports,
instead of 53, for outgoing requests. Nobody should use port 53 for
_ougtoing_ requests.
bsdi# dig -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com
09:13:17.909493 211.30.172.21.53 > 213.42.52.75.53: 18071+$ [1au] A?
www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
09:13:22.918018 211.30.172.21.53 > 213.42.52.75.53: 18071+$ [1au] A?
www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
09:13:27.928099 211.30.172.21.53 > 213.42.52.75.53: 18071+$ [1au] A?
www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
; <<>> DiG 9.9.0rc2 <<>> -b 0.0.0.0#53 www.dubaiairport.com
@svr-b003.dubaiairport.com
;; global options: +cmd
;; connection timed out; no servers could be reached
bsdi#
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
