Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 2 subscribers
  • Views 10261 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocking DNS access to root servers

SalishSwede
I notice in my logs the following:

[FONT=monospace]/var/log/packetfilter/2012/03/packetfilter-2012-03-13.log.gz:2012:03:13-19:03:02  wahine ulogd[6021]: id="2001" severity="info" sys="SecureNet"  sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003"  outitf="eth1" srcmac="0:c:29:67:ac:8e" srcip="174.x.y.z"  dstip="128.8.10.90" proto="17" length="76" tos="0x00" prec="0x00"  ttl="64" srcport="1901" dstport="53"  [/FONT]

Looking at the dstip, I see the following:

Address lookup

     canonical name  d.root-servers.net.    aliases 
    addresses   2001:500:2d:[:D]
128.8.10.90It looks like this the device blocking access to DNS root servers.
Is that a good thing?
I don't have DNS specific rules in my firewall (save one machine which is off).
In Network Services \ DNS I list Google's DNS servers.  [feel free to comment]

Just checking.


This thread was automatically locked due to age.
Parents
  • 0
    I guess I don't understand why the Astaro would ask a root server for name resolution if DNS is configured correctly.

    Cheers - Bob
  • 0 in reply to BAlfson
    I guess I don't understand why the Astaro would ask a root server for name resolution if DNS is configured correctly.

    The way they have bind configured, it has a switch to query forwarders first which makes astaro query root servers if the forwarders fail for any reason including connectivity. 
    What is fascinating is the log entry for the interface.

    @Dougga which interface is that exactly? Not an additional IP or anything of that sort is it?

    Regards
    Bill
    Edit:
    Why am I telling you about your systems.  This is very strange.

    Bob doesn't work for astaro and is a free helper so don't flame the messenger please.
  • 0 in reply to Billybob
    My misunderstanding, I thought he was internal.  Apologies, Bob.

    Nothing special with this interface: eth1.
    Standard DHCP to Comcast internet.
Reply Children
No Data