I believe it will depend on the configuration of your internal DNS server(s).
As I understand it (it has been a little while), your DNS server has a choice of making the request on the workstation's behalf, and sendding back the response when it arrives, or telling the workstation to re-issue the request to some other (specified) server. I believe DNS terminology calls these two behaviours "forwarding" and "referring", respectively. Obviously, telling the workstation to re-issue the request is less work for the local server, and may avoid some time-out issues. However, besides the traffic which you report (which might also have come from other causes, such as some versions of traceroute...), this also means allowing any workstation to send out ranom UDP traffic on port 53, even if it's NOT DNS queries. It could, for instance, be DDoS traffic from compromised internal machines. So *my* preference -- given a choice -- is to allow UDP queries of external DNS servers only from the internal DNS servers, and not from random workstations. DG On 14 Oct 2001, at 22:44, Roy wrote: > What exactly should the rules look like for a DNS server behind a > firewall. When a DNS lookup is done does the workstation doing the > lookup every get a direct response from some DNS server on the > internet or does it always come from the local DNS server. > I ask that because I've heard of high port numbered UDP packets > coming back from DNS and I noticed a lot of high udp packets > coming back to workstations from outside of my firewall. > > I'm running a pix 520. > > Thanks > > > Roy Harrison > The Research Libraries Group > ___________________________________ > If we don't change our basic perceptions > of life, as a species we will perish in > servitude to institutional greed. > Please read Vote or Die at > www.threeparty.org > > "A human being is part of a whole, called by us the "Universe," > a part limited in time and space. He experiences himself, > his thoughts and feelings, as something separated from the rest > -a kind of optical delusion of his consciousness. > This delusion is a kind of prison for us, restricting us to our > personal desires and to affection for a few persons nearest us. > Our task must be to free ourselves from this prison by widening our > circles of compassion to embrace all living creatures and the whole of > nature in its beauty. " > > - Albert Einstein (1879-1955) > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
