On Thu, 13 Mar 2003, Collins, Kevin wrote: > Hey All, > > I've got a Red Hat 8.0 box with four network cards in it. (See Diagram > below) I've got BIND DNS 9.1 (updated via Red Hat's Red Hat Network) > running on the same machine. I want this machine to act as my primary > internal DNS server for my Internal and WAN subnets. > > When I have the machine running as a router (i.e. ip forwarding enabled, no > firewall rules in place) everything works fine. When I start my firewall, > DNS slows down to a crawl. It works, but it works so slow that it feels > like it's not. Sounds as if there's a DNS failover taking place. Being a facist mother (user told me that) I would be tempted to take every DNS request from the internal networks and redirect it to my internal DNS. However, that does break the odd case where someone is using some bizarre remote DNS by choice. I would just start logging ALL DNS packets so you can take a look at them, perhaps the solution will jump out at you. Hint: I bet you can put one LOG rule in the FORWARD chains and catch all the packets of interest. > I've attached my firewall script below. It's a work in progress so comments > are welcome. If you have enough volume to care about efficiency I could, otherwise the only thing I would do is explicit drop of user defined chains, since you are being so paranoid anyway. Yes, you don't use them, but you have lots of other overkill in there. -- bill davidsen <davidsen@xxxxxxx> CTO, TMR Associates, Inc Doing interesting things with little computers since 1979.
