There is also a trap, which is that setting this in /etc/sysctl.conf or /etc/sysctl.d doesn't work, because the module isn't always yet loaded when those are set.

One fix is to load nf_conntrack at boot by adding it to the module load list

https://bugs.launchpad.net/bugs/1922778 https://github.com/canonical/microk8s/issues/4462

On a related note, the sosreport tool which collects outputs of a zillion different commands for diagnostics purposes, goes to great lengths and CI tests that no kernel modules are loaded by any of the plugins, for basically this same reason.

e.g. If the modules aren't already loaded, it will avoid running iptables -L and various other tricks: https://github.com/sosreport/sos/issues/1435 https://github.com/sosreport/sos/issues/2978

> This sounds like bad advice

Please elaborate.

As they say a typical DNS request comes in as one packet and is replied in one packet, there is no ongoing connection so there's no point keeping tracking information.

The implication of not tracking the connection is that any packets will have to match a more specific rule than the "allow established,related" at the top of the firewall chain.

> they would be better off trying to make DNS a TCP-only service to stop amplification attacks.

Sure, lets get literally everyone on the intenet to agree to a new version of DNS that uses TCP...

Even if you do that - the problem moves from conntrack filling up we can fill up on ephemeral ports stuck in TIME_WAIT because some genius thought a service that doesn't maintain a connection should use TCP

TCP is less efficient for request-response protocol. The root of the problem (DDoS with amplification) IMHO is not DNS but ISPs which allow to spoof source addresses. Most don’t allow. RFC2827 (BCP38) was published >20 years ago and the problem was not new even back then. How bad guys find ISP (or hostings) permitting src IP spoofing? Is there a way to encourage such ISP to follow BCP38?

If you want to stop UDP DNS from being able to amplify, require bigger query datagrams.

The original page is near identical to the 2020 version https://web.archive.org/web/20200812150324/https://kb.isc.or... (change from some units going from e.g. M to MB and the console snippets going from being labeled as "Plain text" rather than "Shell") and it certainly wasn't written with a GPT-2 quality system.

I'm concerned when enough time passes it'll be impossible to do that kind of back-checking proof so "it seems like an LLM"-isms will become a self-confirming prophecy which can't reasonably be disproven. If one feels an article is bad it's sufficient to talk about how the article itself is bad. Hypothesizing of how the bad article came to be written doesn't offer insight to what's wrong with the article, it does instead introduce prejudices based on expectations from perceived style of writing rather than content though.

> iptables conntrack is indeed a huge menace, but you should bypass conntrack entirely for local network connections as you don’t need it.

> The only thing conntrack would give you for local requests is better logging, but YAGNI.

Some people and places don't like the idea an internal device should unilaterally be able to communicate to anything internal and vice versa. Particularly for devices hosting external services. Many even go as far as to host external DNS as a fully isolated service in a DMZ with no internal access allowed by both self and connected FW filters. Not everyone goes full hog with it though but those that do will want to keep not only attempted connection logging but also that multiple layers of security beyond "internal vs external conversation source/destination".

Doesn't seem like LLM output to me. Rather, it seems like unnecessary text padding with pseudo stories to please (possibly outdated) SEO strategies.