Alice Wonder
2017-Apr-11 23:16 UTC
[CentOS] connection state tracking with DNS [was Primary DNS...]
Hi, I would like to see this addressed. I found more information on the issue at https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html Is there a firewalld solution to this issue? On 04/11/2017 11:05 AM, Chris Adams wrote:> One additional DNS server note: you should disable firewalld for any DNS > server, caching or authoritative. If you need firewalling, use straight > iptables. > > The reason is that firewalld always enables connection state tracking > (at least as far as I can tell), and that should never be used in front > of a DNS server. A public authoritative server or any caching server > can get a high rate of requests, and having the kernel firewalling > trying to track connection states is a bottleneck (one that will be > reached before DNS software's limits). > > If you must firewall a DNS server, use straight iptables and do not use > connection state tracking. >
Gordon Messmer
2017-Apr-15 01:54 UTC
[CentOS] connection state tracking with DNS [was Primary DNS...]
On 04/11/2017 04:16 PM, Alice Wonder wrote:> Hi, I would like to see this addressed. > Is there a firewalld solution to this issue?Yes: # Disable connection tracking for UDP DNS traffic # https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m conntrack --ctstate UNTRACKED -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -m conntrack --ctstate UNTRACKED -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 100 -p udp -m udp --dport 53 -j CT --notrack firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 100 -p udp -m udp --sport 53 -j CT --notrack firewall-cmd --permanent --direct --add-rule ipv4 raw OUTPUT 100 -p udp -m udp --dport 53 -j CT --notrack firewall-cmd --permanent --direct --add-rule ipv4 raw OUTPUT 100 -p udp -m udp --sport 53 -j CT --notrack firewall-cmd --reload
Alice Wonder
2017-Apr-15 02:23 UTC
[CentOS] connection state tracking with DNS [was Primary DNS...]
On 04/14/2017 06:54 PM, Gordon Messmer wrote:> On 04/11/2017 04:16 PM, Alice Wonder wrote: >> Hi, I would like to see this addressed. >> Is there a firewalld solution to this issue? > > > Yes: > > # Disable connection tracking for UDP DNS traffic > # > https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html > > firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m > conntrack --ctstate UNTRACKED -j ACCEPT > firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -m > conntrack --ctstate UNTRACKED -j ACCEPT > firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 100 -p > udp -m udp --dport 53 -j CT --notrack > firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 100 -p > udp -m udp --sport 53 -j CT --notrack > firewall-cmd --permanent --direct --add-rule ipv4 raw OUTPUT 100 -p udp > -m udp --dport 53 -j CT --notrack > firewall-cmd --permanent --direct --add-rule ipv4 raw OUTPUT 100 -p udp > -m udp --sport 53 -j CT --notrack > firewall-cmd --reload > >Thank you!
Apparently Analagous Threads
- connection state tracking with DNS [was Primary DNS...]
- Problem to access from Win to Win after classicupdate to Samba DC 4.10.7
- [Bug 917] New: Kernel OOPS on Kernel 3.14.2
- Accepting RELATED, ESTABLISHED (TCP) connections into VM using Network Filters
- netfilter+libvirt=(smth got broken?)