High recursive client counts
litt at acm.org
Wed Mar 26 12:51:56 UTC 2014
DNS inspection doesn't do anything useful; bind does enough validity
checking. UDP inspection suffices to let return packets thru.
Another thing to beware of is NAT - if you do static NAT translation for
your nameservers, be sure to specify no-payload (e.g.
ip nat inside source static tcp/udp 10.0.0.1 53 220.127.116.11 53
extendable no-payload )
Otherwise, the router will try to be 'helpful' by modifying the payload
- which breaks quite a few things, and not necessarily in obvious ways.
ACM Distinguished Engineer
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
On 26-Mar-14 05:02, Sam Wilson wrote:
> In article <mailman.2530.1395774135.20661.bind-users at lists.isc.org>,
> Jason Brandt <jbrandt at fsmail.bradley.edu> wrote:
>> For now, I've disabled DNS inspection on our firewall, as it is an ancient
>> Cisco firewall services module, and that seems to have stabilized things,
>> but it's only been 30 minutes or so. Until I get a few days in, I'll keep
> We used to run DNS inspection on our FWSMs. We didn't notice any issues
> with DNS resolution per se, but we did find that turning it off dropped
> the FWSM CPU from ~70% to less than 30%. We're not aware of any issues
> that using DNS inspection might have caused.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5159 bytes
Desc: S/MIME Cryptographic Signature
More information about the bind-users