[CentOS] connection state tracking with DNS [was Primary DNS...]
Alice Wonder
alice at domblogger.netTue Apr 11 23:16:06 UTC 2017
- Previous message: [CentOS] Primary DNS server with BIND on a public machine running CentOS 7
- Next message: [CentOS] connection state tracking with DNS [was Primary DNS...]
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi, I would like to see this addressed. I found more information on the issue at https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html Is there a firewalld solution to this issue? On 04/11/2017 11:05 AM, Chris Adams wrote: > One additional DNS server note: you should disable firewalld for any DNS > server, caching or authoritative. If you need firewalling, use straight > iptables. > > The reason is that firewalld always enables connection state tracking > (at least as far as I can tell), and that should never be used in front > of a DNS server. A public authoritative server or any caching server > can get a high rate of requests, and having the kernel firewalling > trying to track connection states is a bottleneck (one that will be > reached before DNS software's limits). > > If you must firewall a DNS server, use straight iptables and do not use > connection state tracking. >
- Previous message: [CentOS] Primary DNS server with BIND on a public machine running CentOS 7
- Next message: [CentOS] connection state tracking with DNS [was Primary DNS...]
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list