mirror of
https://github.com/zulip/zulip.git
synced 2025-10-31 12:03:46 +00:00
3bf047beb8
Under heavy request load, it is possible for the conntrack kernel table to fill up (by default, 256k connections). This leads to DNS requests failing because they cannot make a new conntrack entry. Allow all port-53 UDP traffic in and out without connection tracking. This means that unbound port-53 traffic is no longer filtered out by the on-host firewall -- but it is already filtered out at the border firewall, so this does not change the external network posture. `systemd-resolve` also only binds to 127.0.0.53 on the loopback interface, so there is no server to attack on inbound port 53.