Diego Garcia <diegar...@gmail.com> wrote: > > Each 20/30 minutes and lasting about 5 minutes i got 'timeout' in bind > querys. After that time everything works fine again. > > My bind server got response (from 0.1 to 2 seconds) but reply with a ICMP > 'port unreachable'. > > Any idea the problem or what i can check? > > Firewall is off while testing. > > My bind server is a NAT router.
It sounds like the NAT is interfering with BIND's resolver. In general, NAT (as well as stateful firewalls) do not work well with the DNS, because UDP port randomization uses a lot of (mostly useless) connection-tracking state. So it's best to put a full service resolver outside a NAT if possible. In your case, I guess there are several possible IP addresses that BIND can use as the query source address. Try setting the query-source option in named.conf to an IP address that's outside the NAT. You will need to use tcpdump to verify that the right packets with the right addresses are appearing on the wire. Tony. -- f.anthony.n.finch <d...@dotat.at> https://dotat.at/ Portland, Plymouth: Northeast, veering east or southeast, 3 or 4. Slight or moderate, occasionally rough at first in Plymouth. Fog patches at first in south. Moderate or good, occasionally very poor at first in south. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
