mirror of https://github.com/zulip/zulip.git
3bf047beb8
Under heavy request load, it is possible for the conntrack kernel table to fill up (by default, 256k connections). This leads to DNS requests failing because they cannot make a new conntrack entry. Allow all port-53 UDP traffic in and out without connection tracking. This means that unbound port-53 traffic is no longer filtered out by the on-host firewall -- but it is already filtered out at the border firewall, so this does not change the external network posture. `systemd-resolve` also only binds to 127.0.0.53 on the loopback interface, so there is no server to attack on inbound port 53. |
||
---|---|---|
.. | ||
files | ||
manifests | ||
templates |