On 6/19/15, 4:07 PM, "bind-users-boun...@lists.isc.org on behalf of /dev/rob0" <bind-users-boun...@lists.isc.org on behalf of r...@gmx.co.uk> wrote:
>On Fri, Jun 19, 2015 at 02:55:23PM -0500, I wrote: >> On Thu, Jun 18, 2015 at 11:11:16PM +0000, >> Mike Hoskins (michoski) wrote: >snip >> Note that connection tracking can be a problem upstream as well, >> for the same reasons as described in the article. I would still >> turn off conntrack for UDP DNS upstream, unless you're using DNAT >> (yuck.) > >Oh ... hahaha ... I missed the @cisco.com, so I don't suppose you're >using Linux on your upstream routers. :) > >The same idea applies regardless of implementation, of course. Quite alright... In past lives yes, and perhaps even internally at times (more often OpenBSD and pf)...though I won't admit that. ;-D Regardless, all input is welcome. I'll check out the KB article. I have sat for hours with the network team making sure "their" gear isn't touching "my" DNS packets in any perverted ways, but it's always good to triple check. Thanks! _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
