I did the capture on the dmz interface. best regards 2008/8/22 Chris Buechler <[EMAIL PROTECTED]>: > On Fri, Aug 22, 2008 at 4:18 PM, Aliet Santiesteban Sifontes > <[EMAIL PROTECTED]> wrote: >> Hi list I'm currently migrating our dns server to new binds releases >> due to daminsky vulnerability, but I'm hitting a rock because of the >> disable of edns protocol, to do this test first I disable disable the >> firewall in pfsense and in the os, but still bind is not able to work >> with edns protocol, the guys at isc told me this: >> >> "disabling EDNS" is issued when named experiences too many >> timeouts to EDNS queries and named decides to give up on >> EDNS and revert to plain old DNS. Now timeouts can be the >> result of many things. Broken nameservers that don't respond >> to EDNS queries. Firewalls that block EDNS queries. >> Firewalls that block fragmented responses. Firewalls/NATs >> that don't handle out of order fragments >> >> So, my question is?? >> PFSense handles fragmented responses well??? >> PFSense handles out of order fragments well?? > > Yes and yes. Scrub will reassemble them and pass them on. > > > >> I will send a capture I did on the dmz interface where I can see that >> old plain dns queries works ok, but edns fails with a port unreachable >> when using high udp ports. >> Any ideas?? >> > > Where is the unreachable coming from? Do you see it on your WAN or > just the inside interface? > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
