I think this problem was present before the upgrade, but I recently upgraded from 3.0.4 to 18.104.22.168p9 - no issues with the upgrade that I noticed, no error messages, was able to log into different accounts, all seemed good. Yesterday, I noticed that I could hardly load anything from the web. I have an older dual-T1 connection which gives me a full 3Mb up and down - I was getting 2.4+ down, but was only getting 0.3 up. People could barely get their email clients to check for new mail, and actually downloading it was near impossible (300 email accounts on another non-ISPConfig server). I checked switches and routers, and found that the ISPConfig server was the unit pushing all the traffic - disconnecting that server brought me back to 2.6+ up and down. Using the traffic statistics on the router for that server, I found that there were over 5800 bind/named connections (port 53) to the server. This ISPConfig server is only hosting 4 domains (httpd only) - it has no email accounts on it. Traffic should be minimal. I found the following types of messages repeatedly (1000's) in the messages log, but not sure why they're there (there were 1000's of different domains with this error): Jul 24 00:39:20 dns named: error (network unreachable) resolving 'a.ns36.de/AAAA/IN': 2a01:130:2000:118:195:34:161:195#53 Jul 24 00:39:20 dns named: error (network unreachable) resolving 'b.ns36.de/A/IN': 2a01:130:2000:118:195:34:161:195#53 Jul 24 00:39:20 dns named: error (network unreachable) resolving 'a.ns36.de/A/IN': 2a01:130:2000:118:195:34:161:195#53 Jul 24 00:39:21 dns named: error (network unreachable) resolving 'b.ns14.net/AAAA/IN': 2a01:130:2000:118:195:34:161:195#53 I was having an issue with this server spewing spam due to some PHP files that were transferred from another hosting company when I took over the hosting of a domain. Those were finally all found and deleted yesterday. I had cleared the postfix queues and actually disabled postfix and courier-imap so that traffic wasn't the cause of the bottleneck. Maybe the bind/named traffic was leftover from that, but I had cleared/disabled email and restarted the system and was still seeing the traffic and connections from bind/named. My thought was maybe there was a known exploit in bind that these spammers were exploiting. For now, I'm just blocking port 53 to this server, and all is happy. It's not a solution though. Any thoughts would be appreciated.