Re: Netscreen: Lots of extraneous "denied" packets in log

"Jerry Gardner" <jg2-usenet@gardnerclan.net> wrote in message
news:x%ULf.16362$2O6.24@newssvr12.news.prodigy.com...
> I'm seeing a considerable number of Denied packets in my log, all coming
> from outside my network with source port 53. They're all coming from root
> and top-level name servers (such as g.gtld-servers.net).
>
> I've seen this on other firewalls I've used in the past and it's almost
> always been caused by my local name server sending a UDP packet out to a
> remote name server to resolve an address and not getting a response before
> the NAT translation timeout expires, or getting multiple replies.
>
> Is there a way to set the NAT translation timeout for UDP on a 5GT? I'm
> running firmware 5.3. I've already tried "set flow allow-dns-reply", but
> this didn't help.
>
> Thanks.

set service dns timeout <number in minutes>

Does it really take more than 1 minute to get answer back from DNS? (that's
the default)

-Russ.
Received on Mon May 1 00:52:49 2006