On 12/20/05, Buzz Kill [EMAIL PROTECTED] wrote:
A quick look at RFC 1034 1035 shows how DNS works. Most setups
(I'd say 99%) will need both of these ports open, assuming you want
the world to access services running within your domain that rely on
DNS Bind (which is like 99% of them).
I'm the OP, and following up my own posting with the results (and a
small rant).
When I created a new, separate rule that passed UDP and TCP for port 53
only, things appeared to start working, and I see no more blocked
domain traffic. Although I was certain I did exactly this earlier (or
the
Would it be because dns sometimes talks UDP? (I forget the details.)
Thanks - that was my first thought, but (a) the blocked packets show up
as TCP, not UDP, and (b) I still had the problem even when I added UDP
explicitly to the pass rule I show.
So I'm still stuck.
/jon/
DNS primarily goes over UDP. You need to open up udp/53.
Again, I opened up both TCP and UDP ports, but the effect was the same.
In any case, refer back to the original posting - the blocked packet
from the tcpdump shown is clearly of a TCP packet (it would say UDP
at the end otherwise).
the
Yup. TCP is only when resolving multiple requests (e.g. when running
netstat -a)
--
http://www.lightconsulting.com/~travis/ -- You are free... to do as
we tell you!
My love for mathematics is like 1/x as x approaches 0.
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
I believe DNS lookups will ordinarily use UDP but may use TCP for larger
transfers (like the 20 addresses returned for yahoo.com).
It is my understanding (and experience) that DNS requires both UDP 53 and
TCP 53 open through a firewall to avoid problems.
Mike
On Mon, 19 Dec 2005, ed
On 19 Dec 2005 21:41:02 -0800, Jonathan Rogers [EMAIL PROTECTED] wrote:
In any case, refer back to the original posting - the blocked packet
from the tcpdump shown is clearly of a TCP packet (it would say UDP
at the end otherwise).
It doesn't say S(YN), and I don't know what label does.
You
Jonathan Rogers wrote:
DNS primarily goes over UDP. You need to open up udp/53.
Again, I opened up both TCP and UDP ports, but the effect was the same.
In any case, refer back to the original posting - the blocked packet
from the tcpdump shown is clearly of a TCP packet (it would say UDP
at
On Mon, 2005-12-19 at 20:15:12 -0500, Elijah Savage proclaimed...
DNS is mainly udp traffic at least queries are because large DNS queries
can now spill over to TCP also. But mainly TCP is left for name server
to name server DNS transfers of domains.
Stop spreading these myths.
TCP is used
eric wrote:
On Mon, 2005-12-19 at 20:15:12 -0500, Elijah Savage proclaimed...
DNS is mainly udp traffic at least queries are because large DNS queries
can now spill over to TCP also. But mainly TCP is left for name server
to name server DNS transfers of domains.
Stop spreading these myths.
On Mon, 19 Dec 2005 21:03:11 -0500 (EST)
[EMAIL PROTECTED] wrote:
I believe DNS lookups will ordinarily use UDP but may use TCP for larger
transfers (like the 20 addresses returned for yahoo.com).
It is my understanding (and experience) that DNS requires both UDP 53 and
TCP 53 open through
My new OpenBSD 3.8/pf firewall setup seems now to mostly be doing what
it's supposed to. One lingering problem, though, that I just can't find
the source of. I'm getting occasional log messages like this (standard
tcpdump format):
Dec 18 05:55:43 rule 33/(match) block in on xl2: 192.168.3.2.34353
On 12/19/2005 04:33:27 PM, Jonathan Rogers wrote:
My new OpenBSD 3.8/pf firewall setup seems now to mostly be doing what
it's supposed to. One lingering problem, though, that I just can't
find
the source of. I'm getting occasional log messages like this (standard
tcpdump format):
pass in
On Mon, 19 Dec 2005 23:29:08 +
Karl O. Pinc [EMAIL PROTECTED] wrote:
Would it be because dns sometimes talks UDP? (I forget the
details.)
Contrary to other people's views on this list I prefer DNS to talk UDP.
It's quicker for one thing as the query takes place in fewer bytes.
If UDP is
14 matches
Mail list logo