[dns-operations] DNS NAT Translation Timeouts

Ondřej Surý ondrej.sury at nic.cz
Wed Jul 30 23:37:51 UTC 2008


somebody correct me if I am wrong.

If you have cache-only -> forwarder situation, you can stay with one
source port for all queries
and add TSIG between these two (and more) servers.  That way you can
redirect the load to servers,
where you can scale better.  (But of course it depends on your setup...)

And to answer your questions:

> Questions:
>   What should be the appropriate NAT translation timeout?
>   What is the minimum timeout I can safely set?

Set it according to your setup and according to your needs.  We are
talking about internal-external
caching server communication, so it's more predictable, but you are
still affected by queries from
external to authoritative servers (internal has to wait for external).

So I would say - leave it at 10 seconds and watch log files for a
while.  Both from routers
and from servers.  If you see lots of timeouts - rise the number, if
you see few timeouts/retries
- lower the number.


2008/7/30 Jon Kibler <Jon.Kibler at aset.com>:
> Hash: SHA1
> All,
> I have a couple of sites where we have upgraded caching-only servers
> that forward all of their requests to external name servers. These
> servers sit behind a NAT firewall in a DMZ. The firewalls have also been
> patched for DNS and port randomization issues.
> Problem: The firewalls have a default NAT translation timeout of 60
> seconds. This results in HUGE translation tables, with thousands (if not
> tens of thousands) of stale entries. These huge tables are apparently
> starting to impact performance. (About 90% of all translation table
> entries are for DNS.) I should add that the NAT translations remain in
> the table even after the firewall has removed the ACL allowing return
> traffic.
> I have cut the DNS NAT time out down to 10 seconds with no apparent side
> effects thus far. This has substantially reduced the size of the NAT tables.
> Questions:
>   What should be the appropriate NAT translation timeout?
>   What is the minimum timeout I can safely set?
> TIA!
> Jon Kibler
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC  USA
> o: 843-849-8214
> c: 843-224-2494
> s: 843-564-4224
> My PGP Fingerprint is:
> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> iEYEARECAAYFAkiQrTQACgkQUVxQRc85QlMRAgCfQWw3yhwzlz4z8Deq/bDvMjQ9
> =Q/wc
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations

 Ondřej Surý
 technický ředitel/Chief Technical Officer
 CZ.NIC, z.s.p.o. -- .cz domain registry
 Americká 23,120 00 Praha 2,Czech Republic
 mailto:ondrej.sury at nic.cz http://nic.cz/
 sip:ondrej.sury at nic.cz tel:+420.222745110
 mob:+420.739013699 fax:+420.222745112

More information about the dns-operations mailing list