High recursive client counts

Timothe Litt litt at acm.org
Wed Mar 26 12:51:56 UTC 2014

DNS inspection doesn't do anything useful; bind does enough validity 
checking.  UDP inspection suffices to let return packets thru.

Another thing to beware of is NAT - if you do static NAT translation for 
your nameservers, be sure to specify no-payload (e.g.
   ip nat inside source static tcp/udp 53 53 
extendable no-payload )

Otherwise, the router will try to be 'helpful' by modifying the payload 
- which  breaks quite a few things, and not necessarily in obvious ways.

Timothe Litt
ACM Distinguished Engineer
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.

On 26-Mar-14 05:02, Sam Wilson wrote:
> In article <mailman.2530.1395774135.20661.bind-users at lists.isc.org>,
>   Jason Brandt <jbrandt at fsmail.bradley.edu> wrote:
>> For now, I've disabled DNS inspection on our firewall, as it is an ancient
>> Cisco firewall services module, and that seems to have stabilized things,
>> but it's only been 30 minutes or so.  Until I get a few days in, I'll keep
>> researching.
> We used to run DNS inspection on our FWSMs.  We didn't notice any issues
> with DNS resolution per se, but we did find that turning it off dropped
> the FWSM CPU from ~70% to less than 30%.  We're not aware of any issues
> that using DNS inspection might have caused.
> Sam

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5159 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140326/19831d51/attachment.bin>

More information about the bind-users mailing list