Zitat von Romgo <ro...@free.fr>:
All right.
this seems to correct the issue.
But that's the first time I had to open the firewall for a packet answer.
weird.
It is a somewhat special case. UDP by itself is not stateful at all so
any stateful firewall have to use some timeout values to decide if the
"connection" is alive or not. The timeout is set really short most of
the time to not run out of resources because there can be many UDP
"connections" and most of them are only two packets big (one out, one
incoming). On the other hand a DNS query can take a lot of time until
a answer packet is on the way, so it might get dropped because
"closed" connection.
Normaly you would not notice at all because DNS is designed to cope
with failed/timeout querys and the next attempt is more faster because
of caching and finally get through. So basically you have two options:
- Ignore the dropped packets
- Do not use stateful tracking for DNS
Regards
Andreas
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users