High recursive client counts

Timothe Litt litt at acm.org
Wed Mar 26 12:51:56 UTC 2014


DNS inspection doesn't do anything useful; bind does enough validity 
checking.  UDP inspection suffices to let return packets thru.

Another thing to beware of is NAT - if you do static NAT translation for 
your nameservers, be sure to specify no-payload (e.g.
   ip nat inside source static tcp/udp 10.0.0.1 53 16.123.213.11 53 
extendable no-payload )

Otherwise, the router will try to be 'helpful' by modifying the payload 
- which  breaks quite a few things, and not necessarily in obvious ways.

Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.

On 26-Mar-14 05:02, Sam Wilson wrote:
> In article <mailman.2530.1395774135.20661.bind-users at lists.isc.org>,
>   Jason Brandt <jbrandt at fsmail.bradley.edu> wrote:
>
>> For now, I've disabled DNS inspection on our firewall, as it is an ancient
>> Cisco firewall services module, and that seems to have stabilized things,
>> but it's only been 30 minutes or so.  Until I get a few days in, I'll keep
>> researching.
> We used to run DNS inspection on our FWSMs.  We didn't notice any issues
> with DNS resolution per se, but we did find that turning it off dropped
> the FWSM CPU from ~70% to less than 30%.  We're not aware of any issues
> that using DNS inspection might have caused.
>
> Sam
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5159 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140326/19831d51/attachment.bin>


More information about the bind-users mailing list