This sounds like bad advice, I don't know why ISC is pushing this... they would be better off trying to make DNS a TCP-only service to stop amplification attacks.
The fun part is that in some cases just listing the iptables rules with an iptables -L will cause it to load the conntrack module and the default max for this is very low for anything that is a DNS server or perform a lot of DNS lookups. That's why it's a good idea to always set the sysctl nf_conntrack_max value quite high even if you aren't using conntrack. The actual sysctl key for nf_conntrack is different depending on the version of the kernel, it's net.netfilter.nf_conntrack_max nowadays.
There is also a trap, which is that setting this in /etc/sysctl.conf or /etc/sysctl.d doesn't work, because the module isn't always yet loaded when those are set.
One fix is to load nf_conntrack at boot by adding it to the module load list
On a related note, the sosreport tool which collects outputs of a zillion different commands for diagnostics purposes, goes to great lengths and CI tests that no kernel modules are loaded by any of the plugins, for basically this same reason.
This sounds like bad advice, I don't know why ISC is pushing this... they would be better off trying to make DNS a TCP-only service to stop amplification attacks.
The fun part is that in some cases just listing the iptables rules with an iptables -L will cause it to load the conntrack module and the default max for this is very low for anything that is a DNS server or perform a lot of DNS lookups. That's why it's a good idea to always set the sysctl nf_conntrack_max value quite high even if you aren't using conntrack. The actual sysctl key for nf_conntrack is different depending on the version of the kernel, it's net.netfilter.nf_conntrack_max nowadays.
There is also a trap, which is that setting this in /etc/sysctl.conf or /etc/sysctl.d doesn't work, because the module isn't always yet loaded when those are set.
One fix is to load nf_conntrack at boot by adding it to the module load list
https://bugs.launchpad.net/bugs/1922778 https://github.com/canonical/microk8s/issues/4462
On a related note, the sosreport tool which collects outputs of a zillion different commands for diagnostics purposes, goes to great lengths and CI tests that no kernel modules are loaded by any of the plugins, for basically this same reason.
e.g. If the modules aren't already loaded, it will avoid running iptables -L and various other tricks: https://github.com/sosreport/sos/issues/1435 https://github.com/sosreport/sos/issues/2978
I’m concerned that this is output generated by an LLM (specifically chatgpt) as the writing style is eerily similar.
iptables conntrack is indeed a huge menace, but you should bypass conntrack entirely for local network connections as you don’t need it.
The only thing conntrack would give you for local requests is better logging, but YAGNI.
Doesn't seem like LLM output to me. Rather, it seems like unnecessary text padding with pseudo stories to please (possibly outdated) SEO strategies.