One fix is to load nf_conntrack at boot by adding it to the module load list
https://bugs.launchpad.net/bugs/1922778 https://github.com/canonical/microk8s/issues/4462
On a related note, the sosreport tool which collects outputs of a zillion different commands for diagnostics purposes, goes to great lengths and CI tests that no kernel modules are loaded by any of the plugins, for basically this same reason.
e.g. If the modules aren't already loaded, it will avoid running iptables -L and various other tricks: https://github.com/sosreport/sos/issues/1435 https://github.com/sosreport/sos/issues/2978
It references very old Linux kernels, Slackware 10 (released in 2004), old hardware with little RAM, it talks about iptables (it still exists and the syntax is fine, but it's just now mostly an abstraction/compatibility layer on top of nftables) and there's no mention of IPv6 (if I'm not mistaken on most stacks now DNS queries are made for both IPv4 and IPv6).
Please elaborate.
As they say a typical DNS request comes in as one packet and is replied in one packet, there is no ongoing connection so there's no point keeping tracking information.
The implication of not tracking the connection is that any packets will have to match a more specific rule than the "allow established,related" at the top of the firewall chain.
> they would be better off trying to make DNS a TCP-only service to stop amplification attacks.
Sure, lets get literally everyone on the intenet to agree to a new version of DNS that uses TCP...
Even if you do that - the problem moves from conntrack filling up we can fill up on ephemeral ports stuck in TIME_WAIT because some genius thought a service that doesn't maintain a connection should use TCP
That's already done. DNS servers already all speak both TCP and UDP. Try "dig google.com @8.8.8.8 +tcp".
host -t txt amazon.com | wc -l
35
iptables conntrack is indeed a huge menace, but you should bypass conntrack entirely for local network connections as you don’t need it.
The only thing conntrack would give you for local requests is better logging, but YAGNI.
I'm concerned when enough time passes it'll be impossible to do that kind of back-checking proof so "it seems like an LLM"-isms will become a self-confirming prophecy which can't reasonably be disproven. If one feels an article is bad it's sufficient to talk about how the article itself is bad. Hypothesizing of how the bad article came to be written doesn't offer insight to what's wrong with the article, it does instead introduce prejudices based on expectations from perceived style of writing rather than content though.
> iptables conntrack is indeed a huge menace, but you should bypass conntrack entirely for local network connections as you don’t need it.
> The only thing conntrack would give you for local requests is better logging, but YAGNI.
Some people and places don't like the idea an internal device should unilaterally be able to communicate to anything internal and vice versa. Particularly for devices hosting external services. Many even go as far as to host external DNS as a fully isolated service in a DMZ with no internal access allowed by both self and connected FW filters. Not everyone goes full hog with it though but those that do will want to keep not only attempted connection logging but also that multiple layers of security beyond "internal vs external conversation source/destination".