DNS Not Working to Some Sites

[BarryStiefel]

DNS Not Working to Some Sites



DNS queries from DNS servers sometimes come from source port 53 to destination port 53. By default, FireWall-1 will translate this to a "low" (below 1024) unused port. Many authoritative DNS servers have a problem with this. There are three ways to fix this problem:

*Configure your DNS server to perform DNS queries with a non-privileged (i.e. above 1023) port. Current versions of BIND do this by default (not sure about other DNS servers)

*Configure your DNS server to have a static address translation.

*Configure FireWall-1 to translate the "low" port to a "high" port instead. I currently only know how to do this on Unix, not NT, so don't ask.



The steps are as follows:

1. Stop the firewall (fwstop)
2. On Solaris: echo "fwx_udp_hide_high ?W35" | adb -w -k /dev/ksyms /dev/mem
3. On SunOS: echo "fwx_udp_hide_high ?W35" | adb -w $FWDIR/modules/fwmod.4.1.x.o
4. On HP/UX: echo "fwx_udp_hide_high ?W35" | adb -w /hp-ux
5. On IPSO: modzap _fwx_udp_hide_high 0x35 $FWDIR/bin/fwmod.o
6. Start the firewall (fwstart)

To make this change permanent on Solaris, add the following to /etc/system:To make this change permanent on Solaris, add the following to /etc/system:

set fw:fwx_udp_hide_high=0x35

I'm told that this may not work (though it did when I tried it). If it doesn't (or you're not running Solaris), add the appropriate "echo" command to the end of the fwstart script.

Another possible reason for this is because some domains implement load balancing and the reply packet actually comes from a different IP address, which may cause a problem if you have "Enable DNS Domain Queries" unchecked in Policy Properties. In this case, the firewall will drop the reply packets. The way to resolve this is to set up your DNS forwarders on your internal DNS servers to use an external DNS server.



-- RobertGraham - 23 Feb 2004

FAQForm FAQs.Class: TroubleshootingFAQs FAQs.OS: FAQs.Version: