Great Circle Associates Firewalls
(February 1994)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: DNS through a packet filter
From: db @ whitney . sunbim . be (Danny Backx)
Date: Mon, 14 Feb 1994 17:37:07 --100
To: firewalls @ GreatCircle . COM, smb @ research . att . com

Hi,

I don't think that in the general case DNS traffic will only be
between ports 53.

Consider the mailing process on your average workstation.
It cannot get port 53 (either because only root can get
it, or because named already has it). So if it tries to do some
lookup, it will originate from another port.

On a firewall itself, you can think of similar stuff. Say the
firewall is also the mail dispather. So it runs a sendmail. This
sendmail will have to use DNS itself also.
The configuration for this DNS system could specify a list of
DNS servers to talk to if the local one fails. [Not sure whether
this is wise on the firewall...] Then sendmail will need to talk
to a DNS server. Again, sendmail certainly doesn't have port 53
because named has it.

	Danny

> The suggestion has been made that a way to handle DNS through the
> firewall should rely on the fact that DNS-DNS queries come from and
> go through port 53.  I've been told that that's no longer true with
> Solaris.  Does anyone have any experience with this?
--
	Danny Backx
	System Engineer

E-Mail: db @
 sunbim .
 be    (or uunet!mcsun!ub4b!sunbim!db)

Telephone: +32(2)759.59.25	Fax : +32(2)759.47.95

Postal Mail :
	Danny Backx
	BIM
	Kwikstraat 4
	3078 Everberg
	Belgium

Indexed By Date Previous: YAATBAFM
From: z056716 @ uprc . com (LaCoursiere J. D. (Jeff))
Next: Re: Firewalls Digest V3 #48
From: owen @ netcom . com
Indexed By Thread Previous: Re: DNS through a packet filter
From: alastair @ cadence . com (Alastair Young)
Next: Information about Kerberos
From: "Maria Dolores Recio" <lola @ dit . upm . es>

Google
 
Search Internet Search www.greatcircle.com