We are trying to implement a GSS/CSS DNS boomerang for GLSB. The final issue we are running into is looks like the way the PIX needs to have a route back to the source address to prevent anti-spoofing. The issue we have is that the GSS sends a query to each CSS for the domain it is authoratative to. The CSS's then respond back to the clients dns server with their respective dns entry for their datacenter. The one thats the closest to the client wins. Now to make this work, the CSS spoofs the ip address of the GSS so the dns client thinks the response is from the correct server. since there is no route back to that ip address internally the packet is dropped(I assume thats what happening)Is there anyway around this? We were able to do this on our Checkpoint in another location by just excluding that one ip address.