Sorry for the late reply, I was on holiday last week: The servers behind our css are using the internet dns, and they don't seem to have any problem with that. But our firewall and ids's aren't happy with this behaviour, and their logs are running full at immense speed. The reduced configuration below: HVD. !Generated on 03/13/2006 11:45:11 !Active version: sg0740104s configure !*************************** GLOBAL *************************** no restrict web-mgmt ip no-implicit-service virtual authentication primary tacacs virtual authentication secondary local acl enable global-portmap base-port 3000 range 30000 sntp server x.x.x.200 version 1 snmp trap-type enterprise snmp community xxxx read-only snmp community xxxx read-write snmp trap-host x.x.x.200 xxxxxxx snmp trap-host x.x.x.201 xxxxxxx snmp trap-type enterprise service-transition snmp trap-type enterprise redundancy-transition snmp trap-type enterprise reload snmp trap-type enterprise isc-lifetick-failure snmp name "csbrumz3" logging host x.x.x.200 facility 3 log-level debug-7 logging disk system.log logging subsystem netman level info-6 logging subsystem circuit level info-6 logging subsystem redundancy level info-6 logging subsystem keepalive level info-6 logging subsystem vrrp level info-6 dns suffix xxxxxxx dns primary y.y.y.210 dns secondary y.y.y.211 tacacs-server key xxxxxxxx tacacs-server x.x.19.200 49 primary tacacs-server x.x.17.200 49 tacacs-server timeout 60 ip route 0.0.0.0 0.0.0.0 y.y.y.126 1 !************************* INTERFACE ************************* interface 2/1 bridge vlan 19 interface 2/3 bridge vlan 18 interface 2/8 isc-port-one !************************** CIRCUIT ************************** circuit VLAN1 ip address 169.254.1.3 255.255.255.0 circuit VLAN19 ip address y.y.y.115 255.255.255.128 ip virtual-router 1 priority 210 preempt ip redundant-vip 1 y.y.y.66 circuit VLAN18 ip address x.x.18.248 255.255.255.0 ip virtual-router 2 priority 210 preempt ip redundant-interface 2 x.x.18.254 !************************** SERVICE ************************** service our_system1 keepalive retryperiod 60 keepalive frequency 20 keepalive maxfailure 2 keepalive port 80 ip address x.x.18.129 redundant-index 101 keepalive uri "/poll/poll.htm" keepalive type http non-persistent active service our_system2 keepalive retryperiod 120 keepalive frequency 60 keepalive maxfailure 2 keepalive port 80 ip address x.x.18.130 keepalive type http keepalive uri "/poll/poll.htm" redundant-index 107 active service server5 redundant-index 160 ip address x.x.18.67 active service server6 ip address x.x.18.68 redundant-index 161 active !*************************** OWNER *************************** owner WEARE content our_system advanced-balance sticky-srcip add service our_system1 add service our_system2 vip address y.y.y.66 redundant-index 103 sticky-mask 255.255.0.0 protocol tcp port 80 active !*************************** GROUP *************************** group VSystems add service server5 add service server6 add service our_system1 add service our_system2 vip address y.y.y.66 redundant-index 168 active !**************************** NQL **************************** nql dmz_servers ip address y.y.y.210 255.255.255.255 ip address y.y.y.211 255.255.255.255 ip address y.y.y.212 255.255.255.255 ip address y.y.y.214 255.255.255.255 ip address y.y.y.215 255.255.255.255 !**************************** ACL **************************** acl 18 clause 1 deny any any destination x.x.18.248 255.255.255.255 eq ftp clause 2 deny any any destination x.x.18.248 255.255.255.255 eq telnet clause 3 deny any any destination x.x.18.248 255.255.255.255 eq http clause 4 permit any any destination x.x.18.248 255.255.255.255 clause 117 permit any nql Systems_physical destination nql dmz_servers clause 139 permit any x.x.18.129 eq 80 destination any clause 139 permit any x.x.18.130 eq 80 destination any clause 251 permit any x.x.18.248 255.255.255.255 destination any clause 252 permit any x.x.18.249 255.255.255.255 destination any clause 253 permit any x.x.18.254 255.255.255.255 destination any clause 254 deny any any destination any apply circuit-(VLAN18) acl 19 clause 10 deny any any destination y.y.y.115 255.255.255.255 eq 21 clause 11 deny any any destination y.y.y.115 255.255.255.255 eq 23 clause 12 deny any any destination y.y.y.115 255.255.255.255 eq 80 clause 100 permit any any destination any clause 254 deny any any destination any apply circuit-(VLAN19)