On 04/10/2018 02:03 PM, Bruno Wolff III wrote: > On Tue, Apr 10, 2018 at 13:40:44 -0700, > Rick Stevens <ricks@xxxxxxxxxxxxxx> wrote: >> True, but old DNS uses UDP and thus the responses aren't "related" to a >> given query (a stateful firewall couldn't necessarily determine that an >> incoming DNS UDP reply was solicited or not). > > I think related is fudged for UDP by noting destination and source IPs > and port numbers and allowing inbound UDP packets that match those IP > and port numbers through for some period of time (my memory is 5 > minutes). This will work for most DNS. I seem to recall the same thing, that iptables opens incoming UDP port 53 for some period of time if it saw an outgoing UDP port 53 request. And I, like you, can't recall what that period was--although I think it was 60 seconds. That's still more than the the basic Linux resolver library's limit. You can have an "options" section in the /etc/resolv.conf file: options timeout:<somevalue> If such a line is not present, the default timeout is 5 seconds and the limit is capped at 30 seconds (according to the man page). I think I've seen a resolution hang much longer than that--specifically starting sendmail with a broken resolver. It might have been be either sendmail itself or the old SysV script retrying the startup that caused the hang. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@xxxxxxxxxxxxxx - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - Time: Nature's way of keeping everything from happening at once. - ---------------------------------------------------------------------- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
