On Mar 12, 2012, at 8:09 AM, Romgo wrote: > Dear community, > > I do have many error in my Bind's log file such as : > > client 192.168.201.1#29404: error sending response: host unreachable > > It seems that I have an iptables issue as each time I shut iptables I don't > have anymore this message showing up.
You're probably exhausting the firewall state table with DNS traffic under load, causing the traffic to be blocked with an ICMP "host unreachable" response. > I saw that my firewall is dropping packets from the DNS server itself towards > the client, as the source port is SPT=53/UDP. > > I am using bind 9.6, it should use random port >1024 for the source port. (I > didn't specify query-source parameter). > > Nevertheless dns resolution seems to be working find. Adjust your firewall to permit UDP and TCP traffic needed for DNS without keeping state, or only keep state on external traffic, but not between your nameserver(s) and your local clients... Regards, -- -Chuck _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
