[dns-operations] DNS prefetching, DLV and cheap NAT router state table overflow

Florian Weimer fw at deneb.enyo.de
Fri Oct 1 08:23:03 UTC 2010


* Florian Weimer:

> * James Cloos:
>
>> One thing which helps is to set unbound's timeout to something
>> reasonable for an edge lan.  (The default of .2 s is too short.)
>>
>> Start with at least 5s:
>>
>> 	jostle-timeout: 5000
>>
>> That will keep unbound from flooding most of the time.
>
> This seems to make matters worse because Unbound generates more UDP
> flows as a result.  (If Unbound aborts the query, the corresponding
> state does not magically disappear from the NAT device.)

Eh, sorry, I think I understand now.  I've bumped the timeout way up
(in order to prevent this process from kicking in), but that doesn't
seem to help.  I've also set num-queries-per-thread to 10 (I'm running
just one thread).  Of course, this opens another DoS vector. 8-/

(It seems that num-queries-per-thread only applies to client queries,
and not to Unbound's internal queries.)



More information about the dns-operations mailing list