[CentOS] connection state tracking with DNS [was Primary DNS...]

Tue Apr 11 23:16:06 UTC 2017
Alice Wonder <alice at domblogger.net>

Hi, I would like to see this addressed.

I found more information on the issue at 

Is there a firewalld solution to this issue?

On 04/11/2017 11:05 AM, Chris Adams wrote:
> One additional DNS server note: you should disable firewalld for any DNS
> server, caching or authoritative.  If you need firewalling, use straight
> iptables.
> The reason is that firewalld always enables connection state tracking
> (at least as far as I can tell), and that should never be used in front
> of a DNS server.  A public authoritative server or any caching server
> can get a high rate of requests, and having the kernel firewalling
> trying to track connection states is a bottleneck (one that will be
> reached before DNS software's limits).
> If you must firewall a DNS server, use straight iptables and do not use
> connection state tracking.