Netscreen: Lots of extraneous "denied" packets in log

I'm seeing a considerable number of Denied packets in my log, all coming
from outside my network with source port 53. They're all coming from
root and top-level name servers (such as g.gtld-servers.net).

I've seen this on other firewalls I've used in the past and it's almost
always been caused by my local name server sending a UDP packet out to a
remote name server to resolve an address and not getting a response
before the NAT translation timeout expires, or getting multiple replies.

Is there a way to set the NAT translation timeout for UDP on a 5GT? I'm
running firmware 5.3. I've already tried "set flow allow-dns-reply", but
this didn't help.

Thanks.
Received on Mon May 1 00:52:47 2006