I'm seeing a considerable number of Denied packets in my log, all coming from outside my network with source port 53. They're all coming from root and top-level name servers (such as g.gtld-servers.net).
I've seen this on other firewalls I've used in the past and it's almost always been caused by my local name server sending a UDP packet out to a remote name server to resolve an address and not getting a response before the NAT translation timeout expires, or getting multiple replies.
Is there a way to set the NAT translation timeout for UDP on a 5GT? I'm running firmware 5.3. I've already tried "set flow allow-dns-reply", but this didn't help.
Thanks.