I don't think that in the general case DNS traffic will only be
between ports 53.
Consider the mailing process on your average workstation.
It cannot get port 53 (either because only root can get
it, or because named already has it). So if it tries to do some
lookup, it will originate from another port.
On a firewall itself, you can think of similar stuff. Say the
firewall is also the mail dispather. So it runs a sendmail. This
sendmail will have to use DNS itself also.
The configuration for this DNS system could specify a list of
DNS servers to talk to if the local one fails. [Not sure whether
this is wise on the firewall...] Then sendmail will need to talk
to a DNS server. Again, sendmail certainly doesn't have port 53
because named has it.
> The suggestion has been made that a way to handle DNS through the
> firewall should rely on the fact that DNS-DNS queries come from and
> go through port 53. I've been told that that's no longer true with
> Solaris. Does anyone have any experience with this?
E-Mail: db @
be (or uunet!mcsun!ub4b!sunbim!db)
Telephone: +32(2)759.59.25 Fax : +32(2)759.47.95
Postal Mail :