On Thu, Jun 18, 2015 at 11:11:16PM +0000,
Mike Hoskins (michoski) wrote:
> On 6/18/15, 7:09 PM, "Stuart Browne"
> <stuart.bro...@bomboratech.com.au> wrote:
>
> >Just wondering. You mention you're using RHEL6; are you also
> >getting messages in 'dmesg' about connection tracking tables being
> >full? You may need some 'NOTRACK' rules in your iptables.
>
> Just following along, for the record... On our side, iptables
> is completely disabled. We do that sort of thing upstream on
> dedicated firewalls.
There is a Knowledge Base article about this:
https://kb.isc.org/article/AA-01183/
Note that connection tracking can be a problem upstream as well, for
the same reasons as described in the article. I would still turn off
conntrack for UDP DNS upstream, unless you're using DNAT (yuck.)
> Just now getting time to reply to Cathy...more detail on that
> there.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
