DNS requests error sending response: host unreachable
Chuck Swiger
cswiger at mac.com
Mon Mar 12 17:00:37 UTC 2012
On Mar 12, 2012, at 8:09 AM, Romgo wrote:
> Dear community,
>
> I do have many error in my Bind's log file such as :
>
> client 192.168.201.1#29404: error sending response: host unreachable
>
> It seems that I have an iptables issue as each time I shut iptables I don't have anymore this message showing up.
You're probably exhausting the firewall state table with DNS traffic under load, causing the traffic to be blocked with an ICMP "host unreachable" response.
> I saw that my firewall is dropping packets from the DNS server itself towards the client, as the source port is SPT=53/UDP.
>
> I am using bind 9.6, it should use random port >1024 for the source port. (I didn't specify query-source parameter).
>
> Nevertheless dns resolution seems to be working find.
Adjust your firewall to permit UDP and TCP traffic needed for DNS without keeping state, or only keep state on external traffic, but not between your nameserver(s) and your local clients...
Regards,
--
-Chuck
More information about the bind-users
mailing list