DNS lookup in FC2 still slow.
Nigel Wade
nmw at ion.le.ac.uk
Fri Aug 6 08:29:51 UTC 2004
David Cary Hart wrote:
> On Thu, 2004-08-05 at 11:40, Ben Vitale wrote:
>
>>David Cary Hart wrote:
>>
>>
>>>By some chance are you using conntrack?
>>>
>>
>>I don't believe I am using conntrack - not even sure what that is.
>>
>
> conntrack is the IPTables connection tracking module. It is usually
> unnecessary and (supposedly) slows down DNS considerably if used.
>
>
conntrack is absolutely necessary if you want to use ESTABLISHED or RELATED
rules. Without these you would need to open all high numbered ports in the
firewall.
It will only slow down DNS queries if your firewall is poorly configured.
The standard timeout for UDP responses in ip_conntrack is 30s. If your DNS
server takes longer than that to respond the packets will be blocked unless
you have specific rules to allow DNS replies from your DNS servers.
--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw at ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
More information about the fedora-list
mailing list