From owner-freebsd-questions Wed Apr 21 16: 1:30 1999 Delivered-To: freebsd-questions@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id 6E840153C2 for ; Wed, 21 Apr 1999 16:01:22 -0700 (PDT) (envelope-from benh@jpj.net) Received: from [192.168.10.2] (xlate-217-192.webster.edu [199.217.217.192]) by blues.jpj.net (right/backatcha) with ESMTP id SAA26045 for ; Wed, 21 Apr 1999 18:58:52 -0400 (EDT) X-Sender: benh@blues.jpj.net Message-Id: In-Reply-To: References: <371DF92D.1C74@asgard.slcc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 21 Apr 1999 17:58:50 -0500 To: freebsd-questions@freebsd.org From: Ben Hockenhull Subject: Re: DNS through a firewall Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >DNS packets all travel on port 53, so allow the port for incoming and >outgoing traffic. Not exactly. DNS queries, whether TCP or UDP, are sent to destination port 53. However, you can't count on the source port. BIND 4.x sources DNS traffic from port 53, so it used to be that you could count on nameserver to nameserver traffic to have port 53 as both source and destination port, and you could filter accordingly. BIND 8 doesn't do this. It sources DNS queries on high-numbered ports, as do most end-node resolvers. There is a named.conf option to force BIND 8 to the old behaviour. Ben -- Ben Hockenhull benh@jpj.net "Revenge is a dish best served with pinto beans and muffins." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message