This sounds like bad advice, I don't know why ISC is pushing this... they would be better off trying to make DNS a TCP-only service to stop amplification attacks.

I’m concerned that this is output generated by an LLM (specifically chatgpt) as the writing style is eerily similar.

iptables conntrack is indeed a huge menace, but you should bypass conntrack entirely for local network connections as you don’t need it.

The only thing conntrack would give you for local requests is better logging, but YAGNI.

The fun part is that in some cases just listing the iptables rules with an iptables -L will cause it to load the conntrack module and the default max for this is very low for anything that is a DNS server or perform a lot of DNS lookups. That's why it's a good idea to always set the sysctl nf_conntrack_max value quite high even if you aren't using conntrack. The actual sysctl key for nf_conntrack is different depending on the version of the kernel, it's net.netfilter.nf_conntrack_max nowadays.

How old is that article? (not that it's bad but it feels a bit old)

It references very old Linux kernels, Slackware 10 (released in 2004), old hardware with little RAM, it talks about iptables (it still exists and the syntax is fine, but it's just now mostly an abstraction/compatibility layer on top of nftables) and there's no mention of IPv6 (if I'm not mistaken on most stacks now DNS queries are made for both IPv4 and IPv6).

What a terrible website. It moves the viewport around and interferes with scrolling.