On 29/05/2013 20:24, Morgan McLean wrote:
Side note on the DNS ALG, RHEL 6 doesn't like the SRX DNS ALG. RHEL 6
makes both A and AAAA lookups for each name resolution in the same
connection, resulting in two requests being sent out, one response being
received and the session closing, cutting off the second response. This
causes a 5-10 second time out for every name resolution on the server.
That's not RHEL6-specific. glibc has done A/AAAA lookups like this for a
while now, and I've had problems with other stateful devices (load
balancers in front of DNS recursive servers) as a result.
See also https://bugzilla.redhat.com/show_bug.cgi?id=505105
In addition, my testing boxes *were* RHEL6 and the DNS alg seemed to be
forwarding them fine - indeed, during my testing I saw other hosts
sending tens of DNS requests down the same socket pair, and all were
forwarded fine.
Are you running an older JunOS - maybe they fixed it?
There is a flag you can set under the resolv.conf to require a new
socket per query, or you can turn off the DNS ALG. Could also custom
define a DNS service that times out in 10 seconds or something?
Even a 10 second timeout results in a significant rise in sessions - we
tested exactly that.
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
