carlopmart wrote:
> Lars Hecking wrote:
>>> options {
>>> directory "/var/named";
>>> dump-file "/var/named/data/cache_dump.db";
>>> statistics-file "/var/named/data/named_stats.txt";
>>> memstatistics-file "/var/named/data/named_mem_stats.txt";
>>> listen-on port 53 { 127.0.0.1; 172.25.50.10; };
>>> version "DNS Server v2.0";
>>> dnssec-enable no;
>>> query-source port 53;
>>> forwarders { 208.67.220.220; 208.67.222.222; };
>>> };
>>
>>> As you can see, I need to use "query-source port" param too with forwarders to
>>> resolv names (and this is really really ugly).
>>
>> Explicit query-source port breaks port randomisation and is highly insecure.
>> Your problem may be an incorrectly configured firewall that only accepts
>> outgoing queries originating from source port 53 - it needs to accept all
>> outgoing queries for destination port 53.
>>
>>
>
> Thanks lars. Correctly, firewall could be the problem, but it isn't. Because
> Ubuntu and Windows 2003/2008 doesn't have problems with it ... and resolves
> perfectly ... And I don't have configured this firewall to accept dns queries
> originating from source port 53 ...
>
What does 'dig' show about your access to the root servers without
forwarders and with and without forcing the query-source port? Compare
it to the Ubuntu system. Maybe there's something wrong with the root
hints file - or maybe your border firewall is blocking all udp to this
box but permitting it to the DNS servers that work.
--
Les Mikesell
lesmikesell at gmail.com