The same ports are used for name queries as are used for address queries. Your
access list is likely not the problem.
The problem is not a firewall issue, but more a dns issue.
comp.protocols.dns.bind would be a better place to ask. But most likely your
nameserver has not been properly delegated for the reverse domain. Let's assume
your addresses are in the 195.119.181.0 network. Your nameserver would need to
be delegated for the 181.119.195.in-addr.arpa domain. RIPE would be the
registry that would handle that. As shown below, no one has been delegated for
that domain.
> nslookup -qt=ns 119.195.in-addr.arpa.
...
119.195.in-addr.arpa nameserver = nic.unilog.se
119.195.in-addr.arpa nameserver = ns.global-ip.net
119.195.in-addr.arpa nameserver = ns.ripe.net
> nslookup -qt=ns 181.119.195.in-addr.arpa.
...
<my.name.server> can't find 181.119.195.in-addr.arpa.:Non-existent domain
Tony Rall
"Hanus Hrabak" <[EMAIL PROTECTED]> on 05/24/1999 01:20:20
I have a linux name server (x.x.x.x) with a number of second level domains.
If I ask for the name using nslookup, my server knows both name and IP
address. Any other name server, except NS with secondary registration of my
domains (y.y.y.y), returns IP address if I ask the name, but doesn't know
the name if I ask the IP address. Name Server is behind the packet filter on
CISCO router
and there is second linux packet filter running on NS.
I'd like to know, if both kinds of question to NS are to the same port and I
should look for the problem outside my net or I have wrong configuration of
packet
filters or NS.
This is part of access list on cisco router:
permit udp host y.y.y.y eq domain any (156404 matches)
permit tcp any host x.x.x.x eq domain (15172 matches)
permit udp any host x.x.x.x eq domain (275023 matches)
permit tcp any host x.x.x.x eq tacacs (82158 matches)
permit udp any eq domain host x.x.x.x (29 matches)
deny ip any host x.x.x.x log (269 matches)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
