From 3b19870ca742c99ead7afcdec8f7a100b5e030a9 Mon Sep 17 00:00:00 2001
From: =?utf8?q?H=C3=A5kan=20Lindqvist?= <h@qw.se>
Date: Wed, 29 Mar 2023 22:25:29 +0200
Subject: [PATCH] Add reminders for 53/tcp in the NOTRACK rules in docs

---
 pdns/recursordist/docs/performance.rst | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pdns/recursordist/docs/performance.rst b/pdns/recursordist/docs/performance.rst
index 6e5d246161..ffa66b9f7b 100644
--- a/pdns/recursordist/docs/performance.rst
+++ b/pdns/recursordist/docs/performance.rst
@@ -74,6 +74,7 @@ For high load operation (thousands of queries/second), It is advised to either t
 Sample Linux command lines would be::
 
     ## IPv4
+    ## NOTRACK rules for 53/udp, keep in mind that you also need your regular rules for 53/tcp
     iptables -t raw -I OUTPUT -p udp --dport 53 -j CT --notrack
     iptables -t raw -I OUTPUT -p udp --sport 53 -j CT --notrack
     iptables -t raw -I PREROUTING -p udp --dport 53 -j CT --notrack
@@ -84,6 +85,7 @@ Sample Linux command lines would be::
     iptables -I OUTPUT -p udp --sport 53 -j ACCEPT
 
     ## IPv6
+    ## NOTRACK rules for 53/udp, keep in mind that you also need your regular rules for 53/tcp
     ip6tables -t raw -I OUTPUT -p udp --dport 53 -j CT --notrack
     ip6tables -t raw -I OUTPUT -p udp --sport 53 -j CT --notrack
     ip6tables -t raw -I PREROUTING -p udp --sport 53 -j CT --notrack
@@ -97,6 +99,7 @@ When using FirewallD (Centos 7+ / Red Hat 7+ / Fedora 21+), connection tracking
 The settings can be made permanent by using the ``--permanent`` flag::
 
     ## IPv4
+    ## NOTRACK rules for 53/udp, keep in mind that you also need your regular rules for 53/tcp
     firewall-cmd --direct --add-rule ipv4 raw OUTPUT 0 -p udp --dport 53 -j CT --notrack
     firewall-cmd --direct --add-rule ipv4 raw OUTPUT 0 -p udp --sport 53 -j CT --notrack
     firewall-cmd --direct --add-rule ipv4 raw PREROUTING 0 -p udp --dport 53 -j CT --notrack
@@ -107,6 +110,7 @@ The settings can be made permanent by using the ``--permanent`` flag::
     firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -p udp --sport 53 -j ACCEPT
 
     ## IPv6
+    ## NOTRACK rules for 53/udp, keep in mind that you also need your regular rules for 53/tcp
     firewall-cmd --direct --add-rule ipv6 raw OUTPUT 0 -p udp --dport 53 -j CT --notrack
     firewall-cmd --direct --add-rule ipv6 raw OUTPUT 0 -p udp --sport 53 -j CT --notrack
     firewall-cmd --direct --add-rule ipv6 raw PREROUTING 0 -p udp --dport 53 -j CT --notrack
-- 
2.47.2