On 2008-07-26, J Duke <[EMAIL PROTECTED]> wrote: > I moved back to an earlier version of OpenBSD on the DNS server, and > the Ironport traffic went up to normal, and the DNS lookup failures stopped. > Cpu utilization went back down to around 9%. But I'm vulnerable.
Sending spam seems a good way to force certain DNS lookups to be done by the receiver, so depending on exactly what DNS lookups your spam filtering systems are doing, you might _really_ not want to be pointing them at an easily poisoned resolver. > I realize that the whole fix to this DNS cache poisoning is to have random > ports and random query ids, and that generating good, strong, random numbers > costs cpu cycles and time. Has anyone else noticed the performance hit? It's not just generating random numbers that burns cycles, you also take a hit from finding unused ports to send queries from, etc. You might want to try unbound (in packages/ports for -current). It's pretty sane and easy to get along with. For a busy system it has a big advantage over bind: if you configure IP aliases on the machine and list them manually in separate "outgoing- interface" lines, it will rotate between them, reducing the contention on port numbers. With unbound, don't take the shortcut of listing 0.0.0.0 / ::0 in Interface: lines, list incoming interfaces individually, this avoids problems with replies going out with wrong source addresses. Note that this port randomisation does not _fix_ cache poisoning, it just makes it more difficult.
