DNS requests error sending response: host unreachable
lst_hoe02 at kwsoft.de
lst_hoe02 at kwsoft.de
Wed Mar 14 10:37:03 UTC 2012
Zitat von Romgo <romgo at free.fr>:
> All right.
>
> this seems to correct the issue.
> But that's the first time I had to open the firewall for a packet answer.
>
> weird.
It is a somewhat special case. UDP by itself is not stateful at all so
any stateful firewall have to use some timeout values to decide if the
"connection" is alive or not. The timeout is set really short most of
the time to not run out of resources because there can be many UDP
"connections" and most of them are only two packets big (one out, one
incoming). On the other hand a DNS query can take a lot of time until
a answer packet is on the way, so it might get dropped because
"closed" connection.
Normaly you would not notice at all because DNS is designed to cope
with failed/timeout querys and the next attempt is more faster because
of caching and finally get through. So basically you have two options:
- Ignore the dropped packets
- Do not use stateful tracking for DNS
Regards
Andreas
More information about the bind-users
mailing list