From owner-freebsd-questions@FreeBSD.ORG Thu Apr 7 13:04:59 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94CDA16A4CE for ; Thu, 7 Apr 2005 13:04:59 +0000 (GMT) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F1EE43D2F for ; Thu, 7 Apr 2005 13:04:59 +0000 (GMT) (envelope-from emccoy@haystacks.org) Received: from [127.0.0.1] (c-24-98-109-41.hsd1.ga.comcast.net[24.98.109.41]) by comcast.net (sccrmhc13) with ESMTP id <20050407130454016001o6a7e>; Thu, 7 Apr 2005 13:04:54 +0000 Message-ID: <42552FF8.1030708@haystacks.org> Date: Thu, 07 Apr 2005 09:04:56 -0400 From: Eric McCoy User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: faisal gillani References: <20050407111845.70181.qmail@web51110.mail.yahoo.com> In-Reply-To: <20050407111845.70181.qmail@web51110.mail.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: FreeBSD Subject: Re: DNS Names resolution in ipfw+nat ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2005 13:04:59 -0000 faisal gillani wrote: > Well i read couple of how,to artical on the internet > regarding setting up a ipfw firewall with nat to allow > your private network client to setup internet access , > but their isnt one thing clear to me , which was not > present in any of the articals , which is how there > internal clients gona resolve internet hosts names ? Generally speaking, a program looking to resolve a hostname to an IP will first consult /etc/hosts, which is a simple text file you can examine or edit as you wish. If the hostname which needs to be resolved isn't present in that file, the program will consult DNS via the network. DNS uses port 53 and it can use either TCP or UDP, though in practice a client will never use TCP. (TCP is used mainly for zone transfers and the like, which are server-to-server.) The rule of thumb for Unix is not to use hostnames in startup scripts, because it's possible that DNS will not be available when they are run. It can take over a minute for a DNS query to time out. Besides, it also makes you vulnerable to DNS hijacking. Instead, use IPs or put an entry in /etc/hosts if you must. Incidentally, the firewall rules to allow DNS would be ipfw add allow tcp from me to any 53 setup keep-state ipfw add allow udp from me to any 53 keep-state As a technical aside, the name resolution path I described above is not the way it has to work, just the way it is configured by default. > will this be autoconfigured ? No, though the above rules should be in the sample ipfw script which comes with FreeBSD.