The primary use of the dns alg is to reduce session count. This is very apparent on net screens. I reduced 500k sessions down to 400k by turning it on. That said, you can achieve similar results by setting dns specific policies with short timeouts.
Will On May 28, 2013, at 8:41 AM, "Julien Goodwin" <jgood...@studio442.com.au> wrote: > On 28/05/13 19:40, ashish verma wrote: >>> That said, I can't believe the firewall was *actually* dropping 1500pps of >>> DNS traffic; we'd have widespread problems reported, surely. So, it seems >>> that maybe ALG-processed traffic is being counted under "packets dropped" >>> for "show security flow statistics"? > > eDNS fallback perhaps? > > I never understood the use of DNS ALG's, unless it's to perform a NAT > translation on addresses (which is a really bad idea) they just seem > like a waste of valuable resources. Far better to ACL down so that DNS > queries can only go to trusted DNS servers which can run something that > doesn't break on a malformed query. > > > -- > Julien Goodwin > Studio442 > "Blue Sky Solutioneering" > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
