From owner-freebsd-security Wed Jan 9 19:45:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from web11804.mail.yahoo.com (web11804.mail.yahoo.com [216.136.172.158]) by hub.freebsd.org (Postfix) with SMTP id CA97637B423 for ; Wed, 9 Jan 2002 19:45:27 -0800 (PST) Message-ID: <20020110034527.76936.qmail@web11804.mail.yahoo.com> Received: from [216.170.168.102] by web11804.mail.yahoo.com via HTTP; Wed, 09 Jan 2002 19:45:27 PST Date: Wed, 9 Jan 2002 19:45:27 -0800 (PST) From: X Philius Reply-To: xphilius@yahoo.com Subject: Re: Help with ipfw rules to allow DNS queries through To: Ian Smith Cc: "G.P. de Boer" , security@FreeBSD.ORG, Dave Raven In-Reply-To: <20020109013014.57371.qmail@web11807.mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org BSD Security Folks, I solved the mystery. It looks like Cisco routers can mangle UDP packets involved in DNS queries. The NAT can translate addresses within the packet, as well as the destination, and this messes things up. This does not effect zone transfers (which I believe is all I really need to be authorative on a domain or six) but does prevent access of my DNS server from outside our local net. A search through the bind e-list didn't give me any solution to the problem, but at least I know I'm not nuts. Well, maybe a little nuts, but not about this ;-) Thanks for the help, I'm off to work on the next conundrum.... Jason __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message