-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rob Tanner wrote: > Or, at least that's what it looks like. > Last nigh (Oct 28) we were barraged by thousands of emails with a return > path of facebookmail.com. Our MTA checks the return path of each > incoming message so as to reject anything that can't be replied to. > That, of course, requires a DNS lookup but every attempt to lookup > facebookmail.com timed out and when I flushed the cache, it would > resolve for a short while and then hang again until a again flushed my > cache. This effectively brought both of my email edge servers to their > knees as all the SMTP connections were tied up while the server was > waiting on DNS. > > I upgraded back in July when the major security bug was discovered and > my name servers all run BIND 9.5.0-P1. I know there were a couple of > Windows specific updates since then which I ignored because I'm running > on Linux. Is that version otherwise at risk and do I need to update for > security reasons?
i'm not expert about ISC's bind program. however, let me say this, a few weeks ago my advisor for DNS recommended for using DNSSEC <URL:http://en.wikipedia.org/wiki/DNSSEC>. he emphasized it's the best practice against for the attack of DNS cache poisoning. and now i'm studying about that ..;; byunghee -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iEYEARECAAYFAkkI8yIACgkQsCouaZaxlv60NgCfUy6PaQYhPYEWfStYlyKKMYrP XY4An1SgOg0XWQuXYi3QtuthNYP6YYaI =V/gI -----END PGP SIGNATURE-----
