For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jeremiah_47575's avatar
Jeremiah_47575
Icon for Nimbostratus rankNimbostratus
Feb 14, 2010

Recommended idle timeout setting for DNS (UDP)?

I have two sets of LTM 3400's hosting my primary and secondary dns vip's with a pool of dns servers behind each respective vip. The vip's are setup for Performance (Layer 4) and I'm using a custom 'f...
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Feb 14, 2010
Hi Jeremiah,

 

 

I have heard of a few major (some root) DNS servers being load balanced through LTM. So hopefully you'll get some experienced suggestions here.

 

 

Isn't the zone transfer done over TCP? If so, and you've configured a UDP only VIP, you should be able to use a very low idle timeout without failures on the UDP VIP and a slightly longer timeout for the TCP VIP. As Jesse pointed out in the thread linked below, any UDP packet would add a new entry in the connection table. So you shouldn't need to worry about removing the connection table entries too early.

 

 

 

http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=814020&ptarget=814306

 

 

If this is a UDP-only DNS server you wouldn't need to change the "loose initiaition" setting at all because any UDP packet will generate a new connection table entry.

 

 

 

 

Aaron