From owner-freebsd-questions@FreeBSD.ORG Sat Nov 8 15:28:52 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E10E16A4CE for ; Sat, 8 Nov 2003 15:28:52 -0800 (PST) Received: from smtp06.wxs.nl (smtp06.wxs.nl [195.121.6.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B00143F75 for ; Sat, 8 Nov 2003 15:28:51 -0800 (PST) (envelope-from akruijff@www.kruijff.org) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186]) by smtp06.wxs.nl (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) with ESMTP id <0HO200F623RGN4@smtp06.wxs.nl> for freebsd-questions@freebsd.org; Sun, 09 Nov 2003 00:26:05 +0100 (MET) Received: from Alex.lan (localhost [127.0.0.1]) by kruij557.speed.planet.nl (8.12.8p2/8.12.8) with ESMTP id hA8NSrAg007023; Sun, 09 Nov 2003 00:28:53 +0100 (CET envelope-from akruijff@Alex.lan) Received: (from akruijff@localhost) by Alex.lan (8.12.8p2/8.12.8/Submit) id hA8NSnI6007022; Sun, 09 Nov 2003 00:28:49 +0100 (CET) Date: Sun, 09 Nov 2003 00:28:48 +0100 From: Alex de Kruijff In-reply-to: To: "Jason C. Wells" Message-id: <20031108232848.GB532@dds.nl> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.1i References: cc: freebsd-questions@freebsd.org Subject: Re: Firewall Making Many DNS PTR Queries X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Nov 2003 23:28:52 -0000 On Sat, Nov 08, 2003 at 01:00:06PM -0800, Jason C. Wells wrote: > If one of my clients makes a DNS query for a hostname that is not cached, > my firewall subsequently makes a flurry of PTR queries. I am at a loss to > explain why. > > For example: > > XX+/192.168.1.13/202.1.168.192.in-addr.arpa/PTR/IN > XX+/192.168.1.13/www.davinci.com/A/IN > XX+/192.168.1.1/49.0.229.193.in-addr.arpa/PTR/IN > XX+/192.168.1.1/10.24.230.130.in-addr.arpa/PTR/IN > XX+/192.168.1.1/132.248.214.128.in-addr.arpa/PTR/IN > XX+/192.168.1.1/10.102.230.130.in-addr.arpa/PTR/IN > XX+/192.168.1.1/64.46.214.128.in-addr.arpa/PTR/IN > XX+/192.168.1.1/64.4.214.128.in-addr.arpa/PTR/IN > ... and many more ... > > The firewall is 192.168.1.1. > > But if I do the query on a cached hostname, no such wierdness occurs. > > XX+/192.168.1.13/202.1.168.192.in-addr.arpa/PTR/IN > XX+/192.168.1.13/www.davinci.com/A/IN > > My DNS servers are behind the firewall. I use port translation to run the > DNS through the firewall. The DNS queries complete successfully. I fixed > the problem with my secondary nameserver not responding (thanks Pete > Elkhe, my NAT was buggered). > > The PTR records the firewall is seeking are mostly for nameservers. > Sometimes the PTRs the firewall is looking for are not resolvable. The > PTRs don't seem to be related to the domain in question. > > What the heck is my firewall doing looking for those PTR records? Could you mail the output of ipfw to me. I'll take a look in the morning if i see something wierd. (I'll prefere this command: 'ipfw s | mail -s 'ipfw & dns' freebsd-reply@akruijff.dds.nl') -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/