Το πρόβλημα…
There are lots of badly constructed firewalls.
- Some block source port != 53
- Some block source port < 1024
- Some block source port 1024-1030 (rpc ports)
- Some block source port ~7000 (irc ports)
If you have a nameserver you should allow traffic to port 53
on the nameserver regardless of the source port. It should
also allow reply traffic to any destination port.
…ο σωστός τρόπος
With a first match firewall you should have rules like:
state-full firewall
- check-state ; allow inbound replies
- allow any to nameserver 53 in ; allow inbound queries
- allow nameserver 53 to any out ; allow replies
- allow any to any 53 out keep-state ; allow outbound queries
- <put your general blocks here>
state-less firewall (query-source port 53)
- allow tcp established
- allow any to nameserver 53 in ; allow inbound queries and inbound replies
- allow nameserver 53 to any out ; allow replies
- allow udp any 53 to any 53 out ; allow outbound queries
- <put your general blocks here>
If you are worried about too much state being kept with the state-full
firewall you can do it as a state-less firewall for the recursive
servers by inserting a rule like this before the keep-state rule
- allow udp <recursive server> 53 to any 53 out
Bind has a built in list of ports for which it will not
responed to with error messages. It will also not reply
to responses.
(ref)
Don't fear the penguin 