High recursive client counts

Jason Brandt jbrandt at fsmail.bradley.edu
Wed Mar 26 12:58:29 UTC 2014

We don't do any NAT at the firewall level, they're all public IPs.


On Wed, Mar 26, 2014 at 7:51 AM, Timothe Litt <litt at acm.org> wrote:

> DNS inspection doesn't do anything useful; bind does enough validity
> checking.  UDP inspection suffices to let return packets thru.
> Another thing to beware of is NAT - if you do static NAT translation for
> your nameservers, be sure to specify no-payload (e.g.
>   ip nat inside source static tcp/udp 53 53
> extendable no-payload )
> Otherwise, the router will try to be 'helpful' by modifying the payload -
> which  breaks quite a few things, and not necessarily in obvious ways.
> Timothe Litt
> ACM Distinguished Engineer
> --------------------------
> This communication may not represent the ACM or my employer's views,
> if any, on the matters discussed.
> On 26-Mar-14 05:02, Sam Wilson wrote:
>> In article <mailman.2530.1395774135.20661.bind-users at lists.isc.org>,
>>   Jason Brandt <jbrandt at fsmail.bradley.edu> wrote:
>>  For now, I've disabled DNS inspection on our firewall, as it is an
>>> ancient
>>> Cisco firewall services module, and that seems to have stabilized things,
>>> but it's only been 30 minutes or so.  Until I get a few days in, I'll
>>> keep
>>> researching.
>> We used to run DNS inspection on our FWSMs.  We didn't notice any issues
>> with DNS resolution per se, but we did find that turning it off dropped
>> the FWSM CPU from ~70% to less than 30%.  We're not aware of any issues
>> that using DNS inspection might have caused.
>> Sam
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

Jason K. Brandt
Systems Administrator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140326/ef4550ad/attachment-0001.html>

More information about the bind-users mailing list