Don't attribute to malice that which can be explained by stupidity.

My guess is that Facebook botched a nameserver migration, such that
their apex NS records were pointing to unreachable nameservers. That
would make you unable to resolve the zone until the cache was
purged/flushed at which point you'd be able to resolve it via the
delegation records, you'd cache the bad NS records, and the cycle would
start all over again...

- Kevin
Rob Tanner wrote:
> Or, at least that's what it looks like.
> Last nigh (Oct 28) we were barraged by thousands of emails with a return
> path of Our MTA checks the return path of each
> incoming message so as to reject anything that can't be replied to.
> That, of course, requires a DNS lookup but every attempt to lookup
> timed out and when I flushed the cache, it would
> resolve for a short while and then hang again until a again flushed my
> cache. This effectively brought both of my email edge servers to their
> knees as all the SMTP connections were tied up while the server was
> waiting on DNS.
> I upgraded back in July when the major security bug was discovered and
> my name servers all run BIND 9.5.0-P1. I know there were a couple of
> Windows specific updates since then which I ignored because I'm running
> on Linux. Is that version otherwise at risk and do I need to update for
> security reasons?
> Thanks,
> Rob