Another thing to beware of is NAT - if you do static NAT translation for your nameservers, be sure to specify no-payload (e.g. ip nat inside source static tcp/udp 10.0.0.1 53 16.123.213.11 53 extendable no-payload )
Otherwise, the router will try to be 'helpful' by modifying the payload - which breaks quite a few things, and not necessarily in obvious ways.
Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 26-Mar-14 05:02, Sam Wilson wrote:
In article <mailman.2530.1395774135.20661.bind-us...@lists.isc.org>, Jason Brandt <jbra...@fsmail.bradley.edu> wrote:For now, I've disabled DNS inspection on our firewall, as it is an ancient Cisco firewall services module, and that seems to have stabilized things, but it's only been 30 minutes or so. Until I get a few days in, I'll keep researching.We used to run DNS inspection on our FWSMs. We didn't notice any issues with DNS resolution per se, but we did find that turning it off dropped the FWSM CPU from ~70% to less than 30%. We're not aware of any issues that using DNS inspection might have caused. Sam
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users