[dns-operations] DNS NAT Translation Timeouts

Jon Kibler Jon.Kibler at aset.com
Wed Jul 30 18:04:36 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

I have a couple of sites where we have upgraded caching-only servers
that forward all of their requests to external name servers. These
servers sit behind a NAT firewall in a DMZ. The firewalls have also been
patched for DNS and port randomization issues.

Problem: The firewalls have a default NAT translation timeout of 60
seconds. This results in HUGE translation tables, with thousands (if not
tens of thousands) of stale entries. These huge tables are apparently
starting to impact performance. (About 90% of all translation table
entries are for DNS.) I should add that the NAT translations remain in
the table even after the firewall has removed the ACL allowing return
traffic.

I have cut the DNS NAT time out down to 10 seconds with no apparent side
effects thus far. This has substantially reduced the size of the NAT tables.

Questions:
   What should be the appropriate NAT translation timeout?
   What is the minimum timeout I can safely set?

TIA!

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkiQrTQACgkQUVxQRc85QlMRAgCfQWw3yhwzlz4z8Deq/bDvMjQ9
hdgAoJLLQLXTCFTGLVNSGNDEtjOiGGAB
=Q/wc
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the dns-operations mailing list