On Wed, Mar 04, 2015 at 09:47:59AM +0100, stefan.las...@t-systems.com wrote: > Are you using iptables Firewall? > Does the problem only occur on UDP connections to the problematic > IP? Or also on TCP connections to the same IP? > > I had similar problems (not with bind) when the connection table of > iptables "state" module were too small. Iptables started dropping > packets, because it couldn't keep track of new connections.
The ISC Knowledge Base has an article about this: https://kb.isc.org/article/AA-01183 > Since UDP is by definition stateless, the "state" module tries > to invent some sort of connection status, based on source- and > destination ports. Linux connection tracking is protocol-agnostic, but yes, aspects of the protocol (such as source and destination ports if applicable) are considered in defining a what is considered a "connection". > This sometimes makes trouble. Especially when there are lots of > concurrent connections and the same UDP-ports show up over and over > again (e.g. when DNS-Clients do not use Source Port Randomization). The trouble comes if/when the table is too small to account for many random ports. Each "connection" is only two packets: a query coming in, and a reply going out. > You could try to remove the state module (-m state --state NEW) > from your UDP firewall rule for BIND and see if that helps. It probably would not, because each query/reply is still seen as a "connection" to the kernel. A more sophisticated and effective approach is as described in the article above, using the "raw" table and "-j CT --notrack". > I believe there are separate state tables for each network > interface. This could explain, why your second IP is still > responding. There is a single conntrack table for the system, and all entries therein are based on packet header information: source and destination IP address (and ports if applicable.) We really don't have enough information in this thread to be able to answer the OP's questions. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
