If the NAT process is not application aware, and therefore can't distinguish DNS from any other UDP app, it will be subject to the session timeout for UDP. Check your router options and see if it has setting specific to DNS timeouts. If not, maybe lower the general UDP timeouts so the stale ones don't stay in the table as long.
Also, your router may have session/NAT limits you can adjust to ensure these 20 users don't DoS your router's NAT resources. Gary -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bigras, Guy Sent: Tuesday, November 25, 2008 9:24 AM To: ntop@unipi.it Subject: [Ntop] Hosts Summary Information - Port Usage Hi there, I'm noticing a lot of dynamic nat bindings at my internet router ( 4000 out of a maximum of 8000). This router services a small school with about 20 users. The school uses its own router that is natting. The majority of the nat bindings belong to that school's nat router. So I don't have any visibility past their router. On the host info page of their router, Ntop is showing that the domain port 53 usage is 2754/130.2 Kbytes and http port 80 is at 1492/2.0 Mbytes. I guessing the first number represents the number of open sessions ? Why so many ??? With only 20 users (not simultaneous I'm sure) ?? I have had host warnings before (yellow flag) showing that there were a lot of host contacts ( over 1200). I just can't believe so many dns sessions are required and why they stay open so long. Is this an indication of P2P traffic or worm/virus infestation(s) ?? Using ntop version : 3.3.5 thanks, Guy _______________________________________________ Ntop mailing list Ntop@unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> _______________________________________________ Ntop mailing list Ntop@unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop