carlopmart wrote:
Lars Hecking wrote:
options { directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; listen-on port 53 { 127.0.0.1; 172.25.50.10; }; version "DNS Server v2.0"; dnssec-enable no; query-source port 53; forwarders { 208.67.220.220; 208.67.222.222; }; };
As you can see, I need to use "query-source port" param too with forwarders to resolv names (and this is really really ugly).
Explicit query-source port breaks port randomisation and is highly insecure. Your problem may be an incorrectly configured firewall that only accepts outgoing queries originating from source port 53 - it needs to accept all outgoing queries for destination port 53.
Thanks lars. Correctly, firewall could be the problem, but it isn't. Because Ubuntu and Windows 2003/2008 doesn't have problems with it ... and resolves perfectly ... And I don't have configured this firewall to accept dns queries originating from source port 53 ...
What does 'dig' show about your access to the root servers without forwarders and with and without forcing the query-source port? Compare it to the Ubuntu system. Maybe there's something wrong with the root hints file - or maybe your border firewall is blocking all udp to this box but permitting it to the DNS servers that work.