[CentOS] Apparent BIND problem doing RBL lookups for Postfix

listserv.traffic at sloop.net listserv.traffic at sloop.net
Thu Apr 15 21:00:58 UTC 2010


> What happens if you change your resolv.conf to google's dns ?
I haven't tried this, but from reports, spamhaus.org blocks google's dns. [The
traffic limits are too high. If they didn't, no one would buy a
commercial zone transfer license...]

So, while it's not likely to fix this problem, even if it were, it
seems like your "solution" to the broken DNS server is to use
someone else's DNS server.

So, yeah, I could drive the neighbor's car when mine doesn't work.
But that doesn't fix my car.

I'm interested in fixing mine, or at least understanding how and why it's broken.

Thanks for your time and thoughts though.

-Greg

> On 4/15/10, Nataraj <incoming-centos at rjl.com> wrote:
>> listserv.traffic at sloop.net wrote:
>>>> Check out the following bug report. I would also look at other bind bug
>>>> reports. My sense is that redhat has deviated quite a bite from the ISC
>>>> version of bind. In particular I believe that they disabled or otherwise
>>>> modified the caching behavior back about 6-8 months ago when there were
>>>> major security issues with bind. I have felt that my Red Hat/Centos name
>>>> servers have not worked as well as Fedora or ISC bind name servers since
>>>> this time. You might try installing ISC bind and see if that solves your
>>>> problem.
>>>>
>>>
>>>
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=553334
>>>>
>>>
>>>
>>>> Nataraj
>>>>
>>>
>>> Interesting - though in our case it's failing long before a few
>>> million lookups. I don't much relish compiling ISC versions to run on
>>> my box - the security implications and other hassles don't seem
>>> trivial. [We don't allow external [the world] lookups - just local
>>> "trusted" users, but that only mitigates some of the security concerns.]
>>>
>>> Perhaps it's possible to use an older version that's security
>>> patched. Ugh.
>>>
>> Though I have not done it in a while, It's not a big deal to build ISC
>> bind.  If you have compilers installed, you untar it and run "make" or
>> "make install", maybe setting up the path for installation.  With the
>> security issues today, I often run a separate system for name servers
>> (actually I use virtual machines).  In fact, mostly I setup both an
>> internal and a external nameserver where the internal one forwards
>> queries to the external one so it never receives packets from the
>> Internet.   So the internal one could be on your mail server and the
>> external one could be a seperate box.  For test purposes, you could try
>> ISC bind on any old box just to determine if it solves the problem.
>>
>> Alternatively, if the problem is urgent I guess you could buy a red hat
>> license and try to get them to up the priority on resolving this.   If
>> you have the time and skills, you could install a debug compiled version
>> of CentOS bind and try to either debug it or capture a dump of it when
>> it breaks and submit that to developers.
>>
>> I don't think running ISC bind for a short time is a major risk.  It's
>> quite widely deployed in the field.
>>
>> Nataraj
>>




More information about the CentOS mailing list