In message <53349e66.8050...@ksu.edu>, "Lawrence K. Chen, P.Eng." writes: > > > On 03/26/14 04:02, Sam Wilson wrote: > > In article <mailman.2530.1395774135.20661.bind-us...@lists.isc.org>, > > Jason Brandt <jbra...@fsmail.bradley.edu> wrote: > > > >> For now, I've disabled DNS inspection on our firewall, as it is an ancient > >> Cisco firewall services module, and that seems to have stabilized things, > >> but it's only been 30 minutes or so. Until I get a few days in, I'll keep > >> researching. > > > > We used to run DNS inspection on our FWSMs. We didn't notice any issues > > with DNS resolution per se, but we did find that turning it off dropped > > the FWSM CPU from ~70% to less than 30%. We're not aware of any issues > > that using DNS inspection might have caused. > > > > Sam > > > > I had to get our DNS servers exempted from our Procera, as it was interfering > DNSSEC. The security analyst said it considered some of the large encrypted > UDPs as P2P. > > So, every few days (less during busy times), a recursive caching query server > would stop answering....where restarting it would make it work again. It was > to the point where I had our monitoring system restart bind as needed. > > Eventually, my manager asked about all strange notifications. Where he then > pushed it up to the CISO to get the analyst to make the change to stop > interfering with DNS. > > They had done a test a few months earlier, and said we didn't complain then. > I went back through the logs, and found that it had been interfering > then...but the weekend test wasn't enough to cause any servers to stop > responding. > > I didn't think to see what the client counts were. Though another time when > the Procera had stopped passing any traffic, the counts did get really high > before they stopped working. > > Need to work on figuring out how to have it resolve local domains when > Internet connection is down.
Slave the local zones is the simplest solution. > -- > Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator > For: Enterprise Server Technologies (EST) -- & SafeZone Ally > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
