[dns-operations] DNS NAT Translation Timeouts
Jon.Kibler at aset.com
Wed Jul 30 18:04:36 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
I have a couple of sites where we have upgraded caching-only servers
that forward all of their requests to external name servers. These
servers sit behind a NAT firewall in a DMZ. The firewalls have also been
patched for DNS and port randomization issues.
Problem: The firewalls have a default NAT translation timeout of 60
seconds. This results in HUGE translation tables, with thousands (if not
tens of thousands) of stale entries. These huge tables are apparently
starting to impact performance. (About 90% of all translation table
entries are for DNS.) I should add that the NAT translations remain in
the table even after the firewall has removed the ACL allowing return
I have cut the DNS NAT time out down to 10 seconds with no apparent side
effects thus far. This has substantially reduced the size of the NAT tables.
What should be the appropriate NAT translation timeout?
What is the minimum timeout I can safely set?
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
More information about the dns-operations