Bind 9.3 behind IPFilter firewall

tsar.peter at gmail.com tsar.peter at gmail.com
Wed Oct 11 10:56:35 UTC 2006


Mike Diggins wrote:
> Any other Solaris 10 users (SPARC) running BIND 9.3 behind the included
> ipfilter firewall? Since doing so, I've noticed these types of entries
> appear regularly in my firewall log (from various hosts):
>
> Oct  9 14:16:54 blackadder ipmon[12529]: [ID 702911 local0.warning]
> 14:16:54.207080 bge0 @0:14 b 85.10.207.149,53 -> 120.113.128.1,43972 PR
> udp len 20 185 IN
>
> It appears that I've blocked reply traffic from another DNS server.
> Someone suggested the default UDP timeouts for IPFilter were too low for
> slow responding DNS servers, and to increase them. I've done that a few
> times with the values currently at:
>
> mike at blackadder</var/log># ipf -T list | grep 'udp.*timeout'
> fr_udptimeout   min 0x1 max 0x7fffffff  current 800
> fr_udpacktimeout        min 0x1 max 0x7fffffff  current 240
>
> The defaults are 240 and 24 seconds respectively. The new values seem high
> yet I still get those DENY entries in the firewall log. Is this the
> problem? If so, can anyone suggest better values?
>
> -Mike

An UDP rule in ipfilter that has a "keep state" will allow one response
packet.
What might happen here is that several packets are returned, the last
one(s) will
be blocked.

Try sending some queries to the server in question and see if you get
responses.

Increasing udptimeout wont help you ( i think)



More information about the bind-users mailing list