[CentOS] Apparent BIND problem doing RBL lookups for Postfix

Thu Apr 15 19:36:09 UTC 2010
Nataraj <incoming-centos at rjl.com>

listserv.traffic at sloop.net wrote:
>> Check out the following bug report. I would also look at other bind bug
>> reports. My sense is that redhat has deviated quite a bite from the ISC
>> version of bind. In particular I believe that they disabled or otherwise
>> modified the caching behavior back about 6-8 months ago when there were
>> major security issues with bind. I have felt that my Red Hat/Centos name
>> servers have not worked as well as Fedora or ISC bind name servers since
>> this time. You might try installing ISC bind and see if that solves your
>> problem.
>>     
>
>   
>> https://bugzilla.redhat.com/show_bug.cgi?id=553334
>>     
>
>   
>> Nataraj
>>     
>
> Interesting - though in our case it's failing long before a few
> million lookups. I don't much relish compiling ISC versions to run on
> my box - the security implications and other hassles don't seem
> trivial. [We don't allow external [the world] lookups - just local
> "trusted" users, but that only mitigates some of the security concerns.]
>
> Perhaps it's possible to use an older version that's security
> patched. Ugh.
>   
Though I have not done it in a while, It's not a big deal to build ISC 
bind.  If you have compilers installed, you untar it and run "make" or 
"make install", maybe setting up the path for installation.  With the 
security issues today, I often run a separate system for name servers 
(actually I use virtual machines).  In fact, mostly I setup both an 
internal and a external nameserver where the internal one forwards 
queries to the external one so it never receives packets from the 
Internet.   So the internal one could be on your mail server and the 
external one could be a seperate box.  For test purposes, you could try 
ISC bind on any old box just to determine if it solves the problem.

Alternatively, if the problem is urgent I guess you could buy a red hat 
license and try to get them to up the priority on resolving this.   If 
you have the time and skills, you could install a debug compiled version 
of CentOS bind and try to either debug it or capture a dump of it when 
it breaks and submit that to developers.

I don't think running ISC bind for a short time is a major risk.  It's 
quite widely deployed in the field.

Nataraj

> -Greg
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>