DNS errors caused by nf_conntrack

Andrew McNabb amcnabb at mcnabbs.org
Wed Mar 25 12:54:03 MDT 2009

I've run into a weird problem, and a basic Google search didn't seem to
help.  The symptom was that DNS queries were failing, apparently for no
good reason.  On the DNS server, I noticed the log message:
"nf_conntrack: table full, dropping packet" repeated thousands of times.
This was surprising to me because the server isn't using iptables at all
(I checked and the nat tables are all empty).  I'm surprised that
nf_conntrack is getting used at all, much less filled.  I looked at
/proc/net/nf_conntrack, and all of the entries seemed to be local
machines doing normal lookups, so it's not a DoS (which is what some
forum threads seemed to suggest).

I've tried increasing /proc/sys/net/nf_conntrack_max, and I'll see if
that helps, but the real question is why nf_conntrack is being used at
all on a machine that isn't a firewall.  If it helps, this is a Fedora
10 machine.  I'm curious whether anyone has seen something like this


Andrew McNabb
PGP Fingerprint: 8A17 B57C 6879 1863 DE55  8012 AB4D 6098 8826 6868

More information about the PLUG mailing list