your mail

[Tony Finch]

Diego Garcia <diegargon at gmail.com> wrote:
>
> Each 20/30 minutes and lasting about 5 minutes i got 'timeout' in bind
> querys. After that time everything works fine again.
>
> My bind server got response (from 0.1 to 2 seconds) but reply with a ICMP
> 'port unreachable'.
>
> Any idea the problem or what i can check?
>
> Firewall is off while testing.
>
> My bind server is a NAT router.

It sounds like the NAT is interfering with BIND's resolver. In general,
NAT (as well as stateful firewalls) do not work well with the DNS, because
UDP port randomization uses a lot of (mostly useless) connection-tracking
state. So it's best to put a full service resolver outside a NAT if
possible.

In your case, I guess there are several possible IP addresses that BIND
can use as the query source address. Try setting the query-source option
in named.conf to an IP address that's outside the NAT. You will need to
use tcpdump to verify that the right packets with the right addresses are
appearing on the wire.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
Portland, Plymouth: Northeast, veering east or southeast, 3 or 4.
Slight or moderate, occasionally rough at first in Plymouth. Fog
patches at first in south. Moderate or good, occasionally very poor at
first in south.