On 8/9/07, bert hubert <[EMAIL PROTECTED]> wrote: > On Thu, Aug 09, 2007 at 10:42:30PM +0200, thomas polnik wrote: > > > You may want to try without the firewall. > > without iptables is perhaps a bad idea :), but I will change it to > > iptables -I INPUT 1 -p udp --dport 53 -j ACCEPT > > iptables -I INPUT 2 -p tcp --dport 53 -j ACCEPT > This is wrong - you need to accept packets *coming* from port 53 for > answers as well. > Otherwise PowerDNS can't receive answers to the questions it is sending out! > The trick is to rely on stateful iptables filtering.
The problem could very well be the statefulness of iptables as Kenneth eludes to. Check /proc/net/ip_conntrack as you are most likely exhausting the limits placed on the number of entries in the contrack table. You'll find some good info. from the following google link: http://www.google.com/search?q=%2Fproc%2Fnet%2Fip_conntrack+%22too+many%22 Basically you want to turn stateful packet filtering off for all those DNS requests; something like this would work: # iptables -t raw -L Chain PREROUTING (policy ACCEPT) target prot opt source destination NOTRACK tcp -- anywhere anywhere tcp dpt:domain NOTRACK udp -- anywhere anywhere udp dpt:domain NOTRACK tcp -- anywhere anywhere tcp spt:domain dpts:1024:65535 NOTRACK udp -- anywhere anywhere udp spt:domain dpts:1024:65535 Chain OUTPUT (policy ACCEPT) target prot opt source destination NOTRACK tcp -- anywhere anywhere tcp spt:domain NOTRACK udp -- anywhere anywhere udp spt:domain NOTRACK tcp -- anywhere anywhere tcp dpt:domain NOTRACK udp -- anywhere anywhere udp dpt:domain # iptables -L Chain INPUT (policy DROP) target prot opt source destination ... ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT tcp -- anywhere anywhere tcp spt:domain dpts:1024:65535 ACCEPT udp -- anywhere anywhere udp spt:domain dpts:1024:65535 Note that you won't know which port your recursive answers will come back to, thus the '1024:65535' rules; this is because you are not tracking the connection anymore. -- Augie Schwer - [EMAIL PROTECTED] - http://schwer.us Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072 _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
