From owner-freebsd-questions@FreeBSD.ORG  Sat Nov  8 13:00:12 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1DADE16A4CE
	for <freebsd-questions@freebsd.org>;
	Sat,  8 Nov 2003 13:00:12 -0800 (PST)
Received: from s1.stradamotorsports.com (ip30.gte215.dsl-acs2.sea.iinet.com
	[209.20.215.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2D2EB43FE9
	for <freebsd-questions@freebsd.org>;
	Sat,  8 Nov 2003 13:00:09 -0800 (PST)
	(envelope-from jcw@highperformance.net)
Received: from s1.stradamotorsports.com (s1.stradamotorsports.com
	[192.168.1.201])hA8L07wi016173	for <freebsd-questions@freebsd.org>;
	Sat, 8 Nov 2003 13:00:07 -0800 (PST)
	(envelope-from jcw@highperformance.net)
Date: Sat, 8 Nov 2003 13:00:06 -0800 (PST)
From: "Jason C. Wells" <jcw@highperformance.net>
X-X-Sender: jcw@s1.stradamotorsports.com
To: freebsd-questions@freebsd.org
Message-ID: <Pine.BSF.4.44.0311081243460.16121-100000@s1.stradamotorsports.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Status: No, hits=0.0 required=5.0
	tests=USER_AGENT_PINE
	version=2.55
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
Subject: Firewall Making Many DNS PTR Queries
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Nov 2003 21:00:12 -0000

If one of my clients makes a DNS query for a hostname that is not cached,
my firewall subsequently makes a flurry of PTR queries.  I am at a loss to
explain why.

For example:

XX+/192.168.1.13/202.1.168.192.in-addr.arpa/PTR/IN
XX+/192.168.1.13/www.davinci.com/A/IN
XX+/192.168.1.1/49.0.229.193.in-addr.arpa/PTR/IN
XX+/192.168.1.1/10.24.230.130.in-addr.arpa/PTR/IN
XX+/192.168.1.1/132.248.214.128.in-addr.arpa/PTR/IN
XX+/192.168.1.1/10.102.230.130.in-addr.arpa/PTR/IN
XX+/192.168.1.1/64.46.214.128.in-addr.arpa/PTR/IN
XX+/192.168.1.1/64.4.214.128.in-addr.arpa/PTR/IN
... and many more ...

The firewall is 192.168.1.1.

But if I do the query on a cached hostname, no such wierdness occurs.

XX+/192.168.1.13/202.1.168.192.in-addr.arpa/PTR/IN
XX+/192.168.1.13/www.davinci.com/A/IN

My DNS servers are behind the firewall.  I use port translation to run the
DNS through the firewall.  The DNS queries complete successfully.  I fixed
the problem with my secondary nameserver not responding (thanks Pete
Elkhe, my NAT was buggered).

The PTR records the firewall is seeking are mostly for nameservers.
Sometimes the PTRs the firewall is looking for are not resolvable.  The
PTRs don't seem to be related to the domain in question.

What the heck is my firewall doing looking for those PTR records?

Thanks,
Jason C. Wells