Re: Netscreen: Lots of extraneous "denied" packets in log

Jerry Gardner wrote:
> I'm seeing a considerable number of Denied packets in my log, all coming
> from outside my network with source port 53. They're all coming from
> root and top-level name servers (such as g.gtld-servers.net).
>
> I've seen this on other firewalls I've used in the past and it's almost
> always been caused by my local name server sending a UDP packet out to a
> remote name server to resolve an address and not getting a response
> before the NAT translation timeout expires, or getting multiple replies.

A well-known problem with the same effect is that people and some
implementations don't assume the answer to be sent with TCP instead of
UDP (if the answer doesn#t fit into a single UDP packet).

> Is there a way to set the NAT translation timeout for UDP on a 5GT? I'm
> running firmware 5.3. I've already tried "set flow allow-dns-reply", but
> this didn't help.

Don't know, but a usual workaround it simply forward all DNS answers
from an authorized set of DNS servers and deny any others.

Maybe you can add a rule to ignore / not log such particular events?
Received on Mon May 1 00:52:47 2006