On Thu, 2004-08-05 at 11:40, Ben Vitale wrote:
David Cary Hart wrote:
By some chance are you using conntrack?
I don't believe I am using conntrack - not even sure what that is.
conntrack is the IPTables connection tracking module. It is usually unnecessary and (supposedly) slows down DNS considerably if used.
conntrack is absolutely necessary if you want to use ESTABLISHED or RELATED rules. Without these you would need to open all high numbered ports in the firewall.
It will only slow down DNS queries if your firewall is poorly configured. The standard timeout for UDP responses in ip_conntrack is 30s. If your DNS server takes longer than that to respond the packets will be blocked unless you have specific rules to allow DNS replies from your DNS servers.
--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@xxxxxxxxxxxx
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555