What happens if you change your resolv.conf to google's dns ? On 4/15/10, Nataraj <incoming-centos at rjl.com> wrote: > listserv.traffic at sloop.net wrote: >>> Check out the following bug report. I would also look at other bind bug >>> reports. My sense is that redhat has deviated quite a bite from the ISC >>> version of bind. In particular I believe that they disabled or otherwise >>> modified the caching behavior back about 6-8 months ago when there were >>> major security issues with bind. I have felt that my Red Hat/Centos name >>> servers have not worked as well as Fedora or ISC bind name servers since >>> this time. You might try installing ISC bind and see if that solves your >>> problem. >>> >> >> >>> https://bugzilla.redhat.com/show_bug.cgi?id=553334 >>> >> >> >>> Nataraj >>> >> >> Interesting - though in our case it's failing long before a few >> million lookups. I don't much relish compiling ISC versions to run on >> my box - the security implications and other hassles don't seem >> trivial. [We don't allow external [the world] lookups - just local >> "trusted" users, but that only mitigates some of the security concerns.] >> >> Perhaps it's possible to use an older version that's security >> patched. Ugh. >> > Though I have not done it in a while, It's not a big deal to build ISC > bind. If you have compilers installed, you untar it and run "make" or > "make install", maybe setting up the path for installation. With the > security issues today, I often run a separate system for name servers > (actually I use virtual machines). In fact, mostly I setup both an > internal and a external nameserver where the internal one forwards > queries to the external one so it never receives packets from the > Internet. So the internal one could be on your mail server and the > external one could be a seperate box. For test purposes, you could try > ISC bind on any old box just to determine if it solves the problem. > > Alternatively, if the problem is urgent I guess you could buy a red hat > license and try to get them to up the priority on resolving this. If > you have the time and skills, you could install a debug compiled version > of CentOS bind and try to either debug it or capture a dump of it when > it breaks and submit that to developers. > > I don't think running ISC bind for a short time is a major risk. It's > quite widely deployed in the field. > > Nataraj > >> -Greg >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos >> > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -- Sent from my mobile device