mirror of
https://github.com/zulip/zulip.git
synced 2026-06-30 21:11:04 +08:00
Under heavy request load, it is possible for the conntrack kernel table to fill up (by default, 256k connections). This leads to DNS requests failing because they cannot make a new conntrack entry. Allow all port-53 UDP traffic in and out without connection tracking. This means that unbound port-53 traffic is no longer filtered out by the on-host firewall -- but it is already filtered out at the border firewall, so this does not change the external network posture. `systemd-resolve` also only binds to 127.0.0.53 on the loopback interface, so there is no server to attack on inbound port 53. |
||
|---|---|---|
| .. | ||
| zulip | ||
| zulip_ops | ||
| deps.yaml | ||