[CentOS] Apparent BIND problem doing RBL lookups for Postfix

Thu Apr 15 19:54:18 UTC 2010
sys Admin <n3t0ps at gmail.com>

What happens if you change your resolv.conf to google's dns ?

On 4/15/10, Nataraj <incoming-centos at rjl.com> wrote:
> listserv.traffic at sloop.net wrote:
>>> Check out the following bug report. I would also look at other bind bug
>>> reports. My sense is that redhat has deviated quite a bite from the ISC
>>> version of bind. In particular I believe that they disabled or otherwise
>>> modified the caching behavior back about 6-8 months ago when there were
>>> major security issues with bind. I have felt that my Red Hat/Centos name
>>> servers have not worked as well as Fedora or ISC bind name servers since
>>> this time. You might try installing ISC bind and see if that solves your
>>> problem.
>>> https://bugzilla.redhat.com/show_bug.cgi?id=553334
>>> Nataraj
>> Interesting - though in our case it's failing long before a few
>> million lookups. I don't much relish compiling ISC versions to run on
>> my box - the security implications and other hassles don't seem
>> trivial. [We don't allow external [the world] lookups - just local
>> "trusted" users, but that only mitigates some of the security concerns.]
>> Perhaps it's possible to use an older version that's security
>> patched. Ugh.
> Though I have not done it in a while, It's not a big deal to build ISC
> bind.  If you have compilers installed, you untar it and run "make" or
> "make install", maybe setting up the path for installation.  With the
> security issues today, I often run a separate system for name servers
> (actually I use virtual machines).  In fact, mostly I setup both an
> internal and a external nameserver where the internal one forwards
> queries to the external one so it never receives packets from the
> Internet.   So the internal one could be on your mail server and the
> external one could be a seperate box.  For test purposes, you could try
> ISC bind on any old box just to determine if it solves the problem.
> Alternatively, if the problem is urgent I guess you could buy a red hat
> license and try to get them to up the priority on resolving this.   If
> you have the time and skills, you could install a debug compiled version
> of CentOS bind and try to either debug it or capture a dump of it when
> it breaks and submit that to developers.
> I don't think running ISC bind for a short time is a major risk.  It's
> quite widely deployed in the field.
> Nataraj
>> -Greg
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

Sent from my mobile device