Whoa...I have 2 servers running tinydns, 1 returns replies on port 53 and the other on 61144. I think I'm going to reinstall it and see what happens. Thank you very much for the info, that sends me down the right path and I can now stop pulling my hair out ;)
On Sat, April 22, 2006 16:35, Daniel Hartmeier wrote: > On Sat, Apr 22, 2006 at 03:37:35PM -0700, Allie Daneman wrote: > >> Apr 22 14:53:52.935466 rule 18/(match) pass out on xl0: 24.XX.XX.X.50599 > >> 216.XXX.XX.XX.53: [|domain] >> Apr 22 14:53:53.015842 rule 13/(match) block in on xl0: 216.XXX.XX.XX.61144 > >> 24.XX.XX.X.50599: udp 116 [tos 0x20] > > The query is to port 53, but the reply isn't coming from port 53, but > from port 61144. > > I think that's technically legal for DNS, but has become mostly an > obscurity today, because it breaks on almost any firewall (not just pf). > I.e. most DNS servers don't do that anymore, and you have found one that > still does. I don't know why it was made legal in the first place, maybe > an existing vendor insisted that he couldn't afford to modify his > unmaintainable code to do a bind(2) call ;) > > There's no way to match that reply to the state entry (as matching is > based on port numbers), so you'd have to basically pass all such replies > in statelessly (opening UDP up wide open). Or just screw that DNS > server. > > Daniel > >