On 02/01/2014 17:32, Eugeniu Patrascu wrote: > My reasoning on putting something stateful was to have it timeout > connections in 2-3 seconds max (Windows for example has 2 sec. DNS server > query timeout).
there's no reason to maintain state in two places (firewall + dns server) when only one is necessary. You're only introducing an extra failure vector. Besides which, when your firewall table runs out of slots, the failure mode is catastrophic. Best to separate auth + resolver to separate systems and run stateless packet filters in front of both, with permit for tcp/udp port 53 + the usual other things. Nick _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/