Have you looked at your firewall logs to see what might be getting blocked?
To fully support dns you should allow both 53/udp and 53/tcp into your
nameserver. (Please, list, let's not argue once again about the need for
tcp - it's required by the RFCs and some things break if you don't allow
it.)
And, of course, you must allow the response traffic back out - source port
53 on your nameserver, any destination port.
You should be aware that running a nameserver this way (inside the
firewall, but allowing queries from the Internet) exposes your internal
network more than most of us would accept. It was just a few weeks ago
that a bind daemon compromise was found for most then extant versions.
Better security is obtained by running a separate nameserver on your dmz
(outside your main firewall). Yes, such a server is still exposed, but if
it's compromised the attacker still has to get through the firewall to
feast on your internal network.
Tony Rall
"Edward Ingram" <[EMAIL PROTECTED]>@Lists.GNAC.NET on 2001-04-12
17:42:03
I have a DNS server inside our firewall. People outside the firewall
(Universe) need to access this DNS server to resolve requests. I've tried
opening up UDP 53 on the firewall, but requests still aren't going through.
I know the DNS server is working because it fulfills requests sent to it
from clients on the inside of the firewall. Is that the right port to use?
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
