On 03/26/14 04:02, Sam Wilson wrote: > In article <mailman.2530.1395774135.20661.bind-us...@lists.isc.org>, > Jason Brandt <jbra...@fsmail.bradley.edu> wrote: > >> For now, I've disabled DNS inspection on our firewall, as it is an ancient >> Cisco firewall services module, and that seems to have stabilized things, >> but it's only been 30 minutes or so. Until I get a few days in, I'll keep >> researching. > > We used to run DNS inspection on our FWSMs. We didn't notice any issues > with DNS resolution per se, but we did find that turning it off dropped > the FWSM CPU from ~70% to less than 30%. We're not aware of any issues > that using DNS inspection might have caused. > > Sam >
I had to get our DNS servers exempted from our Procera, as it was interfering DNSSEC. The security analyst said it considered some of the large encrypted UDPs as P2P. So, every few days (less during busy times), a recursive caching query server would stop answering....where restarting it would make it work again. It was to the point where I had our monitoring system restart bind as needed. Eventually, my manager asked about all strange notifications. Where he then pushed it up to the CISO to get the analyst to make the change to stop interfering with DNS. They had done a test a few months earlier, and said we didn't complain then. I went back through the logs, and found that it had been interfering then...but the weekend test wasn't enough to cause any servers to stop responding. I didn't think to see what the client counts were. Though another time when the Procera had stopped passing any traffic, the counts did get really high before they stopped working. Need to work on figuring out how to have it resolve local domains when Internet connection is down. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- & SafeZone Ally _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
