Re: urgent - netfilter rejecting 60% of DNS requests!
are you accounting for both udp and tcp port 53?
If you aren't getting anything in your logs, try adding a log rule to
help you diagnose before the packet defaults to the policy (drop?)
iptables -A .... \
-m limit --limit-burst 10 --limit 10/m \
-j LOG --log-level notice --log-prefix "DROPPED_OFF_END_OF_TABLE"
then you can see the nature of the packet that was lost.
// George
On Wed, Oct 01, 2003 at 02:33:12PM -0300, Martin Ferrari - Decidir IT wrote:
>Hi, I don't know what's happening, but I discovered that my firewall is
>currently rejecting with port unreachable about 60% of the DNS queries I
>receive, but this is not happening with the other kind of traffic I manage
>(http and smtp).
>
>I use connection tracking and ip_conntrack_max is set to 32k. Dmesg doesn't
>report anything!
>
>Please, ANY help would be greatly welcomed!
>
--
GEORGE GEORGALIS, System Admin/Architect cell: 646-331-2027 <IXOYE><
Security Services, Web, Mail, mailto:george@galis.org
Multimedia, DB, DNS and Metrics. http://www.galis.org/george
Reply to: