[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: urgent - netfilter rejecting 60% of DNS requests!

are you accounting for both udp and tcp port 53?

If you aren't getting anything in your logs, try adding a log rule to
help you diagnose before the packet defaults to the policy (drop?)

iptables -A .... \
-m limit --limit-burst 10 --limit 10/m \
-j LOG --log-level notice --log-prefix "DROPPED_OFF_END_OF_TABLE"

then you can see the nature of the packet that was lost.

// George

On Wed, Oct 01, 2003 at 02:33:12PM -0300, Martin Ferrari - Decidir IT wrote:
>Hi, I don't know what's happening, but I discovered that my firewall is
>currently rejecting with port unreachable about 60% of the DNS queries I
>receive, but this is not happening with the other kind of traffic I manage
>(http and smtp).
>I use connection tracking and ip_conntrack_max is set to 32k. Dmesg doesn't
>report anything!
>Please, ANY help would be greatly welcomed!

GEORGE GEORGALIS, System Admin/Architect    cell: 646-331-2027    <IXOYE><
Security Services, Web, Mail,            mailto:george@galis.org 
Multimedia, DB, DNS and Metrics.       http://www.galis.org/george 

Reply to: