Diego Garcia wrote:
>
> Each 20/30 minutes and lasting about 5 minutes i got 'timeout' in bind
> querys. After that time everything works fine again.
>
> My bind server got response (from 0.1 to 2 seconds) but reply with a ICMP
> 'port unreachable'.
>
> Any idea the problem or what i can check?
>
> Firewall is off while testing.
>
> My bind server is a NAT router.
It sounds like the NAT is interfering with BIND's resolver. In general,
NAT (as well as stateful firewalls) do not work well with the DNS, because
UDP port randomization uses a lot of (mostly useless) connection-tracking
state. So it's best to put a full service resolver outside a NAT if
possible.
In your case, I guess there are several possible IP addresses that BIND
can use as the query source address. Try setting the query-source option
in named.conf to an IP address that's outside the NAT. You will need to
use tcpdump to verify that the right packets with the right addresses are
appearing on the wire.
Tony.
--
f.anthony.n.finchhttps://dotat.at/
Portland, Plymouth: Northeast, veering east or southeast, 3 or 4.
Slight or moderate, occasionally rough at first in Plymouth. Fog
patches at first in south. Moderate or good, occasionally very poor at
first in south.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
