High recursive client counts
jbrandt at fsmail.bradley.edu
Wed Mar 26 12:58:29 UTC 2014
We don't do any NAT at the firewall level, they're all public IPs.
On Wed, Mar 26, 2014 at 7:51 AM, Timothe Litt <litt at acm.org> wrote:
> DNS inspection doesn't do anything useful; bind does enough validity
> checking. UDP inspection suffices to let return packets thru.
> Another thing to beware of is NAT - if you do static NAT translation for
> your nameservers, be sure to specify no-payload (e.g.
> ip nat inside source static tcp/udp 10.0.0.1 53 18.104.22.168 53
> extendable no-payload )
> Otherwise, the router will try to be 'helpful' by modifying the payload -
> which breaks quite a few things, and not necessarily in obvious ways.
> Timothe Litt
> ACM Distinguished Engineer
> This communication may not represent the ACM or my employer's views,
> if any, on the matters discussed.
> On 26-Mar-14 05:02, Sam Wilson wrote:
>> In article <mailman.2530.1395774135.20661.bind-users at lists.isc.org>,
>> Jason Brandt <jbrandt at fsmail.bradley.edu> wrote:
>> For now, I've disabled DNS inspection on our firewall, as it is an
>>> Cisco firewall services module, and that seems to have stabilized things,
>>> but it's only been 30 minutes or so. Until I get a few days in, I'll
>> We used to run DNS inspection on our FWSMs. We didn't notice any issues
>> with DNS resolution per se, but we did find that turning it off dropped
>> the FWSM CPU from ~70% to less than 30%. We're not aware of any issues
>> that using DNS inspection might have caused.
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
Jason K. Brandt
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users