[CentOS] connection state tracking with DNS [was Primary DNS...]
Alice Wonder
alice at domblogger.net
Tue Apr 11 23:16:06 UTC 2017
Hi, I would like to see this addressed.
I found more information on the issue at
https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html
Is there a firewalld solution to this issue?
On 04/11/2017 11:05 AM, Chris Adams wrote:
> One additional DNS server note: you should disable firewalld for any DNS
> server, caching or authoritative. If you need firewalling, use straight
> iptables.
>
> The reason is that firewalld always enables connection state tracking
> (at least as far as I can tell), and that should never be used in front
> of a DNS server. A public authoritative server or any caching server
> can get a high rate of requests, and having the kernel firewalling
> trying to track connection states is a bottleneck (one that will be
> reached before DNS software's limits).
>
> If you must firewall a DNS server, use straight iptables and do not use
> connection state tracking.
>
More information about the CentOS
mailing list