Bind 9.3 behind IPFilter firewall

Mike Diggins diggins at
Mon Oct 9 21:25:03 UTC 2006

Any other Solaris 10 users (SPARC) running BIND 9.3 behind the included 
ipfilter firewall? Since doing so, I've noticed these types of entries 
appear regularly in my firewall log (from various hosts):

Oct  9 14:16:54 blackadder ipmon[12529]: [ID 702911 local0.warning] 
14:16:54.207080 bge0 @0:14 b,53 ->,43972 PR 
udp len 20 185 IN

It appears that I've blocked reply traffic from another DNS server. 
Someone suggested the default UDP timeouts for IPFilter were too low for 
slow responding DNS servers, and to increase them. I've done that a few 
times with the values currently at:

mike at blackadder</var/log># ipf -T list | grep 'udp.*timeout'
fr_udptimeout   min 0x1 max 0x7fffffff  current 800
fr_udpacktimeout        min 0x1 max 0x7fffffff  current 240

The defaults are 240 and 24 seconds respectively. The new values seem high 
yet I still get those DENY entries in the firewall log. Is this the 
problem? If so, can anyone suggest better values?


More information about the bind-users mailing list