[Pdns-users] Recursor too fast?
Robby Pedrica
rpedrica at gmail.com
Mon May 12 14:26:57 UTC 2025
Question Djerk: why are you running your firewalls in active/active?
This is an unusual configuration that has many challenges, including the
one you've just mentioned.
Regards
Robby
On 2025/05/12 15:04, Djerk Geurts via Pdns-users wrote:
> An odd statement possibly, but I’m looking for a way to solve a
> problem (even if it’s a temporary solution).
>
> The DC firewalls have changed and the recursors are located in a DMZ
> behind two HA firewalls in active/active mode. So far so good. The
> firewalls sync their state tables, so asymmetric return traffic works
> fine. Except when the recursor replies so quickly that the sync hasn’t
> updated the state table yet for the return packets. As a result we’re
> seeing a few drops among a lot of perfectly fine traffic.
>
> I have a few things I can do:
>
> 1) permit all outbound traffic with source udp/53 from the recursors.
> Not ideal, but low risk.
> 2) raise a support ticket with the firewall vendor. Will do this, but
> not holding my breath for a solution (if any)
> 3) delay DNS replies a millisecond or so. Not ideal as this introduces
> delay.
>
> Thoughts?
>
> --
> Best regards,
> *Djerk Geurts*
>
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20250512/e21e6a6b/attachment.htm>
More information about the Pdns-users
mailing list