Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 2 subscribers
  • Views 10261 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocking DNS access to root servers

SalishSwede
I notice in my logs the following:

[FONT=monospace]/var/log/packetfilter/2012/03/packetfilter-2012-03-13.log.gz:2012:03:13-19:03:02  wahine ulogd[6021]: id="2001" severity="info" sys="SecureNet"  sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003"  outitf="eth1" srcmac="0:c:29:67:ac:8e" srcip="174.x.y.z"  dstip="128.8.10.90" proto="17" length="76" tos="0x00" prec="0x00"  ttl="64" srcport="1901" dstport="53"  [/FONT]

Looking at the dstip, I see the following:

Address lookup

     canonical name  d.root-servers.net.    aliases 
    addresses   2001:500:2d:[:D]
128.8.10.90It looks like this the device blocking access to DNS root servers.
Is that a good thing?
I don't have DNS specific rules in my firewall (save one machine which is off).
In Network Services \ DNS I list Google's DNS servers.  [feel free to comment]

Just checking.


This thread was automatically locked due to age.
Parents
  • 0
    Doug, try DNS Best Practice.

    That is strange, isn't it, Bill.  It looks like it's a DNS request by the Astaro as the packet is dropped out of the OUTPUT chain (rule="60003").  I think I'll learn something in this thread!

    Cheers - Bob
  • 0 in reply to BAlfson
    The packet in question is indeed coming from the Astaro device itself, not from an internal DNS server.  I use Astaro as the internal DNS server.  Therefore, in order to eliminate this sort of blockage, I would have to create a rule allowing DNS traffic from the ASG device which seems a bit curious.
Reply
  • 0 in reply to BAlfson
    The packet in question is indeed coming from the Astaro device itself, not from an internal DNS server.  I use Astaro as the internal DNS server.  Therefore, in order to eliminate this sort of blockage, I would have to create a rule allowing DNS traffic from the ASG device which seems a bit curious.
Children
No Data