Re: urgent - netfilter rejecting 60% of DNS requests!

To: debian-firewall@lists.debian.org
Subject: Re: urgent - netfilter rejecting 60% of DNS requests!
From: George Georgalis <georgw@galis.org>
Date: Wed, 1 Oct 2003 15:01:14 -0400
Message-id: <[🔎] 20031001190114.GB1418@trot.local>
In-reply-to: <[🔎] 0EF8394892B74144ACF999556D1FD6BB7DE392@dexter.decidir.net>
References: <[🔎] 0EF8394892B74144ACF999556D1FD6BB7DE392@dexter.decidir.net>

are you accounting for both udp and tcp port 53?

If you aren't getting anything in your logs, try adding a log rule to
help you diagnose before the packet defaults to the policy (drop?)

iptables -A .... \
-m limit --limit-burst 10 --limit 10/m \
-j LOG --log-level notice --log-prefix "DROPPED_OFF_END_OF_TABLE"

then you can see the nature of the packet that was lost.

// George


On Wed, Oct 01, 2003 at 02:33:12PM -0300, Martin Ferrari - Decidir IT wrote:
>Hi, I don't know what's happening, but I discovered that my firewall is
>currently rejecting with port unreachable about 60% of the DNS queries I
>receive, but this is not happening with the other kind of traffic I manage
>(http and smtp).
>
>I use connection tracking and ip_conntrack_max is set to 32k. Dmesg doesn't
>report anything!
>
>Please, ANY help would be greatly welcomed!
>

-- 
GEORGE GEORGALIS, System Admin/Architect    cell: 646-331-2027    <IXOYE><
Security Services, Web, Mail,            mailto:george@galis.org 
Multimedia, DB, DNS and Metrics.       http://www.galis.org/george

Reply to:

References:
- urgent - netfilter rejecting 60% of DNS requests!
  - From: Martin Ferrari - Decidir IT <mferrari@decidir.net>

Prev by Date: urgent - netfilter rejecting 60% of DNS requests!
Next by Date: Re: urgent - netfilter rejecting 60% of DNS requests!
Previous by thread: urgent - netfilter rejecting 60% of DNS requests!
Next by thread: Re: urgent - netfilter rejecting 60% of DNS requests!
Index(es):
- Date
- Thread