Re: Primary DNS server with BIND on a public machine running CentOS 7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

One additional DNS server note: you should disable firewalld for any DNS
server, caching or authoritative.  If you need firewalling, use straight
iptables.

The reason is that firewalld always enables connection state tracking
(at least as far as I can tell), and that should never be used in front
of a DNS server.  A public authoritative server or any caching server
can get a high rate of requests, and having the kernel firewalling
trying to track connection states is a bottleneck (one that will be
reached before DNS software's limits).

If you must firewall a DNS server, use straight iptables and do not use
connection state tracking.

-- 
Chris Adams <linux@xxxxxxxxxxx>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux