[Pdns-users] recursor can't refresh the . records

Augie Schwer augie.schwer at gmail.com
Fri Aug 10 16:46:37 UTC 2007 

On 8/9/07, bert hubert <bert.hubert at netherlabs.nl> wrote:
> On Thu, Aug 09, 2007 at 10:42:30PM +0200, thomas polnik wrote:
> > > You may want to try without the firewall.
> > without iptables is perhaps a bad idea :), but I will change it to
> > iptables -I INPUT 1 -p udp --dport 53 -j ACCEPT
> > iptables -I INPUT 2 -p tcp --dport 53 -j ACCEPT
> This is wrong - you need to accept packets *coming* from port 53 for
> answers as well.
> Otherwise PowerDNS can't receive answers to the questions it is sending out!
> The trick is to rely on stateful iptables filtering.

The problem could very well be the statefulness of iptables as Kenneth
eludes to. Check /proc/net/ip_conntrack as you are most likely
exhausting the limits placed on the number of entries in the contrack
table. You'll find some good info. from the following google link:

http://www.google.com/search?q=%2Fproc%2Fnet%2Fip_conntrack+%22too+many%22

Basically you want to turn stateful packet filtering off for all those
DNS requests; something like this would work:

# iptables -t raw -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
NOTRACK    tcp  --  anywhere             anywhere            tcp dpt:domain
NOTRACK    udp  --  anywhere             anywhere            udp dpt:domain
NOTRACK    tcp  --  anywhere             anywhere            tcp
spt:domain dpts:1024:65535
NOTRACK    udp  --  anywhere             anywhere            udp
spt:domain dpts:1024:65535

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
NOTRACK    tcp  --  anywhere             anywhere            tcp spt:domain
NOTRACK    udp  --  anywhere             anywhere            udp spt:domain
NOTRACK    tcp  --  anywhere             anywhere            tcp dpt:domain
NOTRACK    udp  --  anywhere             anywhere            udp dpt:domain

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
...
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp
spt:domain dpts:1024:65535
ACCEPT     udp  --  anywhere             anywhere            udp
spt:domain dpts:1024:65535

Note that you won't know which port your recursive answers will come
back to, thus the '1024:65535' rules; this is because you are not
tracking the connection anymore.


-- 
Augie Schwer    -    Augie at Schwer.us    -    http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072

More information about the Pdns-users mailing list