DoS filter stops DNS from transferring


#1

Last night I spend hours trying to debug a problem. (Got to love it when it’s just a switch somewhere :D) I have my primary DNS in house and secondary out on the internet. I configured the firewall to allow the transfer but it just wouldn’t start. I could see the connection going through both firewalls, even reaching the computer. But just wouldn’t start transferring with BIND.

Till I turn off the “Intrusion Detection and DoS Prevention” feature. Once disabled the DNS transfer works no problem. Not sure if this is a bug or intended. But would be nice to have DoS prevention while still allowing services to function.**
**
If it helps the command I was using to debug was dig @<ip of peplink wan> <domain> axfr


#2

Hi Michael,

May I know DNS transfer is between Balance router and third party DNS server? If this is true, Balance router is primary DNS?


#3

Port Forwarding. The primary DNS is on a machine inside the firewall. Basically I have EasyDNS acting as a “primary” as the internet is concerned, but EasyDNS picks up it’s dynamic updates by contacting my internal DNS.

With the intrusion detection turned on EasyDNS can’t access my internal DNS via the port forwarding it times out.

To test set up:

secondary DNS -> (WAN) peplink (port forward: 53) (LAN) -> primary DNS


#4

Hi Michael,

We do have SYN flood prevention. You may need to check communication behavior between EasyDNS and your internal DNS. Else just disable Intrusion Detection and DoS Prevention if it is not needed.