We don't do any NAT at the firewall level, they're all public IPs. Thanks, Jason
On Wed, Mar 26, 2014 at 7:51 AM, Timothe Litt <l...@acm.org> wrote: > DNS inspection doesn't do anything useful; bind does enough validity > checking. UDP inspection suffices to let return packets thru. > > Another thing to beware of is NAT - if you do static NAT translation for > your nameservers, be sure to specify no-payload (e.g. > ip nat inside source static tcp/udp 10.0.0.1 53 16.123.213.11 53 > extendable no-payload ) > > Otherwise, the router will try to be 'helpful' by modifying the payload - > which breaks quite a few things, and not necessarily in obvious ways. > > Timothe Litt > ACM Distinguished Engineer > -------------------------- > This communication may not represent the ACM or my employer's views, > if any, on the matters discussed. > > > On 26-Mar-14 05:02, Sam Wilson wrote: > >> In article <mailman.2530.1395774135.20661.bind-us...@lists.isc.org>, >> Jason Brandt <jbra...@fsmail.bradley.edu> wrote: >> >> For now, I've disabled DNS inspection on our firewall, as it is an >>> ancient >>> Cisco firewall services module, and that seems to have stabilized things, >>> but it's only been 30 minutes or so. Until I get a few days in, I'll >>> keep >>> researching. >>> >> We used to run DNS inspection on our FWSMs. We didn't notice any issues >> with DNS resolution per se, but we did find that turning it off dropped >> the FWSM CPU from ~70% to less than 30%. We're not aware of any issues >> that using DNS inspection might have caused. >> >> Sam >> >> > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Jason K. Brandt Systems Administrator
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
