Bind 9.3 behind IPFilter firewall - DNS

This is a discussion on Bind 9.3 behind IPFilter firewall - DNS ; Any other Solaris 10 users (SPARC) running BIND 9.3 behind the included ipfilter firewall? Since doing so, I've noticed these types of entries appear regularly in my firewall log (from various hosts): Oct 9 14:16:54 blackadder ipmon[12529]: [ID 702911 local0.warning] ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Bind 9.3 behind IPFilter firewall

  1. Bind 9.3 behind IPFilter firewall


    Any other Solaris 10 users (SPARC) running BIND 9.3 behind the included
    ipfilter firewall? Since doing so, I've noticed these types of entries
    appear regularly in my firewall log (from various hosts):

    Oct 9 14:16:54 blackadder ipmon[12529]: [ID 702911 local0.warning]
    14:16:54.207080 bge0 @0:14 b 85.10.207.149,53 -> 120.113.128.1,43972 PR
    udp len 20 185 IN

    It appears that I've blocked reply traffic from another DNS server.
    Someone suggested the default UDP timeouts for IPFilter were too low for
    slow responding DNS servers, and to increase them. I've done that a few
    times with the values currently at:

    mike@blackadder# ipf -T list | grep 'udp.*timeout'
    fr_udptimeout min 0x1 max 0x7fffffff current 800
    fr_udpacktimeout min 0x1 max 0x7fffffff current 240

    The defaults are 240 and 24 seconds respectively. The new values seem high
    yet I still get those DENY entries in the firewall log. Is this the
    problem? If so, can anyone suggest better values?

    -Mike



  2. Re: Bind 9.3 behind IPFilter firewall


    Mike Diggins wrote:
    > Any other Solaris 10 users (SPARC) running BIND 9.3 behind the included
    > ipfilter firewall? Since doing so, I've noticed these types of entries
    > appear regularly in my firewall log (from various hosts):
    >
    > Oct 9 14:16:54 blackadder ipmon[12529]: [ID 702911 local0.warning]
    > 14:16:54.207080 bge0 @0:14 b 85.10.207.149,53 -> 120.113.128.1,43972 PR
    > udp len 20 185 IN
    >
    > It appears that I've blocked reply traffic from another DNS server.
    > Someone suggested the default UDP timeouts for IPFilter were too low for
    > slow responding DNS servers, and to increase them. I've done that a few
    > times with the values currently at:
    >
    > mike@blackadder# ipf -T list | grep 'udp.*timeout'
    > fr_udptimeout min 0x1 max 0x7fffffff current 800
    > fr_udpacktimeout min 0x1 max 0x7fffffff current 240
    >
    > The defaults are 240 and 24 seconds respectively. The new values seem high
    > yet I still get those DENY entries in the firewall log. Is this the
    > problem? If so, can anyone suggest better values?
    >
    > -Mike


    An UDP rule in ipfilter that has a "keep state" will allow one response
    packet.
    What might happen here is that several packets are returned, the last
    one(s) will
    be blocked.

    Try sending some queries to the server in question and see if you get
    responses.

    Increasing udptimeout wont help you ( i think)



+ Reply to Thread