DNS inspection doesn't do anything useful; bind does enough validity checking. UDP inspection suffices to let return packets thru.

Another thing to beware of is NAT - if you do static NAT translation for your nameservers, be sure to specify no-payload (e.g. ip nat inside source static tcp/udp 10.0.0.1 53 16.123.213.11 53 extendable no-payload )

Otherwise, the router will try to be 'helpful' by modifying the payload - which breaks quite a few things, and not necessarily in obvious ways.

Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.

On 26-Mar-14 05:02, Sam Wilson wrote:
In article <mailman.2530.1395774135.20661.bind-us...@lists.isc.org>,
  Jason Brandt <jbra...@fsmail.bradley.edu> wrote:

For now, I've disabled DNS inspection on our firewall, as it is an ancient
Cisco firewall services module, and that seems to have stabilized things,
but it's only been 30 minutes or so.  Until I get a few days in, I'll keep
researching.
We used to run DNS inspection on our FWSMs.  We didn't notice any issues
with DNS resolution per se, but we did find that turning it off dropped
the FWSM CPU from ~70% to less than 30%.  We're not aware of any issues
that using DNS inspection might have caused.

Sam



Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to