The linux firewall module keeps querying the DNS when
any IP address is found in a iptables rule. This
includes address/mask blocks, i.e. if there is a rule
about 10.0.0.0/8 then a "0.0.0.10.in-addr.arpa. IN PTR"
query is submitted to DNS. This makes the firewall
interface very slow if there are many IP addresses or
blocks in the rules, especially if they don't have
reverse dns (like 10.0.0.0). I think this is a bug but
I never found any reference to this problem. These
queries are perfectly useless.
Log in to post a comment.