Bind 9.3 behind IPFilter firewall
Mike Diggins
diggins at mcmaster.ca
Mon Oct 9 21:25:03 UTC 2006
Any other Solaris 10 users (SPARC) running BIND 9.3 behind the included
ipfilter firewall? Since doing so, I've noticed these types of entries
appear regularly in my firewall log (from various hosts):
Oct 9 14:16:54 blackadder ipmon[12529]: [ID 702911 local0.warning]
14:16:54.207080 bge0 @0:14 b 85.10.207.149,53 -> 120.113.128.1,43972 PR
udp len 20 185 IN
It appears that I've blocked reply traffic from another DNS server.
Someone suggested the default UDP timeouts for IPFilter were too low for
slow responding DNS servers, and to increase them. I've done that a few
times with the values currently at:
mike at blackadder</var/log># ipf -T list | grep 'udp.*timeout'
fr_udptimeout min 0x1 max 0x7fffffff current 800
fr_udpacktimeout min 0x1 max 0x7fffffff current 240
The defaults are 240 and 24 seconds respectively. The new values seem high
yet I still get those DENY entries in the firewall log. Is this the
problem? If so, can anyone suggest better values?
-Mike
More information about the bind-users
mailing list