Thanks everyone for your help. I think I found the problem, read on. John R. McPherson wrote:
dns uses udp. It will use tcp if the data is too big to fit in a udp packet.
Ok that explains it.
It's kind of weird to see requests both from port 53 and to 53. I looked at your rules earlier and checked at home - my bind sends requests from high ports, which is why I couldn't see anything wrong with your rules, and I also thought
its probably because of this, from named.conf: // If there is a firewall between you and nameservers you want // to talk to, you might need to uncomment the query-source // directive below. Previous versions of BIND always asked // questions using port 53, but BIND 8.1 and later use an unprivileged // port by default. query-source address * port 53; I just tried commenting out this line and now it seems to be working.
#: Accept incoming packets from external networks on external interfaces /sbin/iptables -A INPUT -j ACCEPT -i ppp0 -d 203.79.74.40/32
would allow dns responses.
But isn't the log message saying that the SRC ip address is not being accepted as valid for IN? Jul 8 09:13:06 pixie kernel: IN= OUT=ppp0 SRC=203.79.74.233 DST=203.96.152.4 LEN=79 TOS=0x00 PREC=0x00 TTL=64 ID=147 DF PROTO=UDP SPT=53 DPT=53 LEN=59 and shouldn't this cover it? #: Allow packets for external networks leave over external interfaces /sbin/iptables -A OUTPUT -j ACCEPT -o ppp0 -s 203.79.74.40/32 g -- Glenn Ramsey <glenn(a)componic.co.nz> 07 8627077 http://www.componic.co.nz