Hi, JLF> Maybe I'm missing the point here, but why do you think you need JLF> to MASQ these packages? When a box from your internal network JLF> do a lookup, it checks with BIND on your boundary/firewall box.
and exactly that's the point: There is no bind running on my firewall box. Bind is running on some other machine, and so it needs to connect to the outside. Anyway, even if bind would run on the firewall box, the problem would remain the same, i.e. bind would send a UDP packet which has to bring up the line (forcing a new IP for the interface), and which therefore leaves with the wrong source address. JLF> Use something like dnscache, JLF> (it's smaller, uses less memory, and is more secure). Thank you for your hint, I actually appreciate alternatives. But this makes me curious: Why should it be more secure, provided that bind is configured properly? Greetings, Thomas
