We don't do any NAT at the firewall level, they're all public IPs. Thanks, Jason
On Wed, Mar 26, 2014 at 7:51 AM, Timothe Litt <[email protected]> wrote: > DNS inspection doesn't do anything useful; bind does enough validity > checking. UDP inspection suffices to let return packets thru. > > Another thing to beware of is NAT - if you do static NAT translation for > your nameservers, be sure to specify no-payload (e.g. > ip nat inside source static tcp/udp 10.0.0.1 53 16.123.213.11 53 > extendable no-payload ) > > Otherwise, the router will try to be 'helpful' by modifying the payload - > which breaks quite a few things, and not necessarily in obvious ways. > > Timothe Litt > ACM Distinguished Engineer > -------------------------- > This communication may not represent the ACM or my employer's views, > if any, on the matters discussed. > > > On 26-Mar-14 05:02, Sam Wilson wrote: > >> In article <[email protected]>, >> Jason Brandt <[email protected]> wrote: >> >> For now, I've disabled DNS inspection on our firewall, as it is an >>> ancient >>> Cisco firewall services module, and that seems to have stabilized things, >>> but it's only been 30 minutes or so. Until I get a few days in, I'll >>> keep >>> researching. >>> >> We used to run DNS inspection on our FWSMs. We didn't notice any issues >> with DNS resolution per se, but we did find that turning it off dropped >> the FWSM CPU from ~70% to less than 30%. We're not aware of any issues >> that using DNS inspection might have caused. >> >> Sam >> >> > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > [email protected] > https://lists.isc.org/mailman/listinfo/bind-users > -- Jason K. Brandt Systems Administrator
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
