An odd statement possibly, but I’m looking for a way to solve a problem (even if it’s a temporary solution).
The DC firewalls have changed and the recursors are located in a DMZ behind two HA firewalls in active/active mode. So far so good. The firewalls sync their state tables, so asymmetric return traffic works fine. Except when the recursor replies so quickly that the sync hasn’t updated the state table yet for the return packets. As a result we’re seeing a few drops among a lot of perfectly fine traffic. I have a few things I can do: 1) permit all outbound traffic with source udp/53 from the recursors. Not ideal, but low risk. 2) raise a support ticket with the firewall vendor. Will do this, but not holding my breath for a solution (if any) 3) delay DNS replies a millisecond or so. Not ideal as this introduces delay. Thoughts? -- Best regards, Djerk Geurts
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
