On 28/05/13 19:40, ashish verma wrote: >> That said, I can't believe the firewall was *actually* dropping 1500pps of >> DNS traffic; we'd have widespread problems reported, surely. So, it seems >> that maybe ALG-processed traffic is being counted under "packets dropped" >> for "show security flow statistics"?
eDNS fallback perhaps? I never understood the use of DNS ALG's, unless it's to perform a NAT translation on addresses (which is a really bad idea) they just seem like a waste of valuable resources. Far better to ACL down so that DNS queries can only go to trusted DNS servers which can run something that doesn't break on a malformed query. -- Julien Goodwin Studio442 "Blue Sky Solutioneering"
signature.asc
Description: OpenPGP digital signature
_______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
