User guide

Configuring the DNS Proxy Service

User Guide 125

5 Click the Incoming tab. Use the Incoming DNS-Proxy connections

are drop list to select Enabled and Allowed.

6 Click the Outgoing tab. Use the Outgoing DNS-Proxy connections

are drop list to select Enabled and Allowed.

7 Click OK to close the DNS-Proxy Properties dialog box.

8 Click Close.

The Services dialog box closes. The DNS-Proxy icon appears in the Services Arena.

DNS file descriptor limit

The DNS proxy has only 256 file descriptors available for its use, which

limits the number of DNS connections in a NAT environment. Every UDP

request that uses dynamic NAT uses a file descriptor for the duration of

the UDP timeout. Every TCP session that uses dynamic, static, or 1-to-1

NAT uses a file descriptor for the duration of the session.

The file descriptor limit is rarely a problem, but an occasional site may

experience slow name resolution and many instances of the following log

message:

dns-proxy[xx] dns_setup_connect_udp: Unable to create UDP socket

for port: Invalid argument

You can work around this problem in two ways (the first method is the

most secure):

• Avoid using dynamic NAT between your clients and your DNS

server.

• Disable the outgoing portion of the DNS proxied service and replace

it with a filtered DNS service.