Loading ...
Sorry, an error occurred while loading the content.

Re: dnsblog lookup error questions

Expand Messages
  • Jamie Paul Griffin
    / Alex wrote on Thu 1.Nov 12 at 9:03:00 -0400 / ... For what it s worth, I ve been seeing the same problem on my Mac server; that is, zen.spamhaus.org not
    Message 1 of 14 , Nov 1, 2012
    • 0 Attachment
      / Alex wrote on Thu 1.Nov'12 at 9:03:00 -0400 /

      > Hi,
      >
      > >> I have a fc15 server with postfix-2.8.10 and have enabled postscreen.
      > >> I've enabled it before without any difficulty, so I'm not sure what
      > >> I'm doing wrong in this case. For some reason it is printing these
      > >> errors periodically:
      > >>
      > >> Oct 31 23:41:15 portal postfix/dnsblog[1520]: warning: dnsblog_query:
      > >> lookup error for DNS query 23.49.18.189.zen.spamhaus.org: Host or
      > >> domain name not found. Name service error for
      > >> name=23.49.18.189.zen.spamhaus.org type=A: Host not found, try again
      > >
      > > cat /etc/resolv.conf
      > > postfix check
      > >
      > > what's the output of those?
      >
      > It's set up to use the local caching server, and doesn't otherwise
      > have any resolution issues. Even when I try to resolve that host using
      > 8.8.4.4, it returns NXDOMAIN. I've changed resolv.conf to use 8.8.4.4
      > and it returns the same result:
      >
      > Nov 1 08:54:46 portal postfix/dnsblog[18803]: warning: dnsblog_query:
      > lookup error for DNS query 7.39.158.213.zen.spamhaus.org: Host or
      > domain name not found. Name service error for
      > name=7.39.158.213.zen.spamhaus.org type=A: Host not found, try again
      >
      > # host 7.39.158.213.zen.spamhaus.org 8.8.4.4
      > Using domain server:
      > Name: 8.8.4.4
      > Address: 8.8.4.4#53
      > Aliases:
      >
      > 7.39.158.213.zen.spamhaus.org has address 127.0.0.4
      > Host 7.39.158.213.zen.spamhaus.org not found: 3(NXDOMAIN)
      > Host 7.39.158.213.zen.spamhaus.org not found: 3(NXDOMAIN)
      >
      > It seems like it may always been an issue with spamhaus. Perhaps I
      > have that configuration wrong? dnsblog seems to do fine with
      > barracuda:
      >
      > Nov 1 08:54:51 portal postfix/dnsblog[19203]: addr 85.59.175.220
      > listed by domain b.barracudacentral.org as 127.0.0.2
      >
      >
      > Thanks again,
      > Alex

      For what it's worth, I've been seeing the same problem on my Mac server; that is, zen.spamhaus.org not resolving.
    • Han Boetes
      Consider setting up a caching nameserver like unbound on your server. Having a local cache on a mailserver is good thing™ ... -- # Han Consider setting up a
      Message 2 of 14 , Nov 1, 2012
      • 0 Attachment
        Consider setting up a caching nameserver like unbound on your server. Having a local cache on a mailserver is good thing™


        On Thu, Nov 1, 2012 at 2:37 PM, Jamie Paul Griffin <jamie@...> wrote:
        / Alex wrote on Thu  1.Nov'12 at  9:03:00 -0400 /

        > Hi,
        >
        > >> I have a fc15 server with postfix-2.8.10 and have enabled postscreen.
        > >> I've enabled it before without any difficulty, so I'm not sure what
        > >> I'm doing wrong in this case. For some reason it is printing these
        > >> errors periodically:
        > >>
        > >> Oct 31 23:41:15 portal postfix/dnsblog[1520]: warning: dnsblog_query:
        > >> lookup error for DNS query 23.49.18.189.zen.spamhaus.org: Host or
        > >> domain name not found. Name service error for
        > >> name=23.49.18.189.zen.spamhaus.org type=A: Host not found, try again
        > >
        > > cat /etc/resolv.conf
        > > postfix check
        > >
        > > what's the output of those?
        >
        > It's set up to use the local caching server, and doesn't otherwise
        > have any resolution issues. Even when I try to resolve that host using
        > 8.8.4.4, it returns NXDOMAIN. I've changed resolv.conf to use 8.8.4.4
        > and it returns the same result:
        >
        > Nov  1 08:54:46 portal postfix/dnsblog[18803]: warning: dnsblog_query:
        > lookup error for DNS query 7.39.158.213.zen.spamhaus.org: Host or
        > domain name not found. Name service error for
        > name=7.39.158.213.zen.spamhaus.org type=A: Host not found, try again
        >
        > # host 7.39.158.213.zen.spamhaus.org 8.8.4.4
        > Using domain server:
        > Name: 8.8.4.4
        > Address: 8.8.4.4#53
        > Aliases:
        >
        > 7.39.158.213.zen.spamhaus.org has address 127.0.0.4
        > Host 7.39.158.213.zen.spamhaus.org not found: 3(NXDOMAIN)
        > Host 7.39.158.213.zen.spamhaus.org not found: 3(NXDOMAIN)
        >
        > It seems like it may always been an issue with spamhaus. Perhaps I
        > have that configuration wrong? dnsblog seems to do fine with
        > barracuda:
        >
        > Nov  1 08:54:51 portal postfix/dnsblog[19203]: addr 85.59.175.220
        > listed by domain b.barracudacentral.org as 127.0.0.2
        >
        >
        > Thanks again,
        > Alex

        For what it's worth, I've been seeing the same problem on my Mac server; that is, zen.spamhaus.org not resolving.



        --



        # Han
      • Stan Hoeppner
        ... He may not be allowed to from his own resolvers either, possibly causing this problem. Alex at one time you had a Spamhaus datafeed subscription. Some
        Message 3 of 14 , Nov 1, 2012
        • 0 Attachment
          On 11/1/2012 8:08 AM, Ralf Hildebrandt wrote:

          > You cannot query the ZEN list via the Google Servers...

          He may not be allowed to from his own resolvers either, possibly causing
          this problem. Alex at one time you had a Spamhaus datafeed
          subscription. Some time ago your load had dropped below the daily limit
          and stayed there. You dropped the subscription thinking you could use
          the free service again, even though you are providing commercial service
          with your boxen, which requires the subscription. Spamhaus are not
          fools. Did they cut you off?

          Alex, have you renewed your subscription? If not you probably need to
          speak with Spamhaus, as these problems are likely related. They have
          nothing to do with Postfix.

          Worth noting, from my local resolver:

          $ host 23.49.18.189.zen.spamhaus.org
          23.49.18.189.zen.spamhaus.org has address 127.0.0.11
          23.49.18.189.zen.spamhaus.org has address 127.0.0.4

          ~$ host 7.39.158.213.zen.spamhaus.org
          7.39.158.213.zen.spamhaus.org has address 127.0.0.4

          --
          Stan
        • Alex
          Hi, ... Ah, yes, of course. ... Yes, it s been renewed, but this host may not be recorded in their database. It doesn t even receive all that much mail, and
          Message 4 of 14 , Nov 1, 2012
          • 0 Attachment
            Hi,

            >> You cannot query the ZEN list via the Google Servers...

            Ah, yes, of course.

            > He may not be allowed to from his own resolvers either, possibly causing
            > this problem. Alex at one time you had a Spamhaus datafeed
            > subscription. Some time ago your load had dropped below the daily limit

            Yes, it's been renewed, but this host may not be recorded in their
            database. It doesn't even receive all that much mail, and otherwise
            has no association with the company. Anyway, they've given us a
            special host to query. I'll add that and see if it helps. I believe
            this could also be a firewall/domain issue, but with the hurricane
            I've had to postpone the investigation for a day or two.

            Thanks so much for everyone's help.

            Regards,
            Alex
          • Jamie Paul Griffin
            / Han Boetes wrote on Thu 1.Nov 12 at 15:15:51 +0100 / ... I do have a name server running on my lan. I wouldn t set up a mailserver system without it. I have
            Message 5 of 14 , Nov 2, 2012
            • 0 Attachment
              / Han Boetes wrote on Thu 1.Nov'12 at 15:15:51 +0100 /

              > Consider setting up a caching nameserver like unbound on your server.
              > Having a local cache on a mailserver is good thing™

              I do have a name server running on my lan. I wouldn't set up a mailserver system without it. I have been doing that for quite some time now.
            • Reindl Harald
              ... the main question here is how your nameserver is configured recursion or just forward to any other dns-server if you do not make recursion at your own
              Message 6 of 14 , Nov 2, 2012
              • 0 Attachment
                Am 02.11.2012 08:38, schrieb Jamie Paul Griffin:
                > / Han Boetes wrote on Thu 1.Nov'12 at 15:15:51 +0100 /
                >
                >> Consider setting up a caching nameserver like unbound on your server.
                >> Having a local cache on a mailserver is good thing™
                >
                > I do have a name server running on my lan. I wouldn't set up a mailserver
                > system without it. I have been doing that for quite some time now

                the main question here is how your nameserver is configured
                recursion or just forward to any other dns-server

                if you do not make recursion at your own thats may be the reason
                because if your LAN dns is forwarding to 8.8.8.8 and more and
                more peole are doing this 8.8.8.8 will be more and more rate-controlled

                AND do NOT forward to any ISP-DNS
                they are all not trustable/relieable
              • Stan Hoeppner
                ... If you are running a local recursing resolver, such as pdns-recursor, on this host, then the IP of this host is relevant to Spamhaus. If this host does not
                Message 7 of 14 , Nov 2, 2012
                • 0 Attachment
                  On 11/1/2012 9:46 PM, Alex wrote:
                  > Hi,
                  >
                  >>> You cannot query the ZEN list via the Google Servers...
                  >
                  > Ah, yes, of course.
                  >
                  >> He may not be allowed to from his own resolvers either, possibly causing
                  >> this problem. Alex at one time you had a Spamhaus datafeed
                  >> subscription. Some time ago your load had dropped below the daily limit
                  >
                  > Yes, it's been renewed, but this host may not be recorded in their
                  > database.

                  If you are running a local recursing resolver, such as pdns-recursor, on
                  this host, then the IP of this host is relevant to Spamhaus.

                  If this host does not have a local recursing resolver, and is using
                  external resolvers, then the IPs of those external resolvers are
                  relevant to Spamhaus. I.e. it's the host that actually queries UDP 53
                  on Spamhaus systems that needs to be in their database.

                  > It doesn't even receive all that much mail, and otherwise
                  > has no association with the company. Anyway, they've given us a
                  > special host to query. I'll add that and see if it helps. I believe
                  > this could also be a firewall/domain issue, but with the hurricane
                  > I've had to postpone the investigation for a day or two.

                  The issue is likely that the configured DNS resolvers are public servers
                  that have been banned by Spamhaus in the past. As others have mentioned
                  there are many ISP type DNS resolvers that are not allowed to query
                  Spamhaus' servers.

                  Due to this, and DNS performance reasons in general, it is wise for
                  anyone wishing to query the free Spamhaus servers to install a local
                  recursing DNS daemon on the Postfix host itself. In the case of
                  pdns-recursor, which I use, the setup is brain dead simply, takes a few
                  minutes to install/configure. The benefits are substantial, and the
                  resources WRT CPU/RAM are tiny.

                  > Thanks so much for everyone's help.

                  You're welcome "Alex". ;) Apologies if I 'leaked' any details you may
                  not have wanted public, but since I'm maintaining your anonymity I
                  figured this would be fine.

                  --
                  Stan
                • Jamie Paul Griffin
                  / Reindl Harald wrote on Fri 2.Nov 12 at 11:57:15 +0100 / ... My named is set up for recursive queries from my localnetwork. I set up named using the
                  Message 8 of 14 , Nov 3, 2012
                  • 0 Attachment
                    / Reindl Harald wrote on Fri 2.Nov'12 at 11:57:15 +0100 /


                    > Am 02.11.2012 08:38, schrieb Jamie Paul Griffin:
                    > > / Han Boetes wrote on Thu 1.Nov'12 at 15:15:51 +0100 /

                    > > I do have a name server running on my lan. I wouldn't set up a mailserver
                    > > system without it. I have been doing that for quite some time now
                    >
                    > the main question here is how your nameserver is configured
                    > recursion or just forward to any other dns-server

                    My named is set up for recursive queries from my localnetwork. I set up named using the documentation provided by OpenBSD (my OS) and also FreeBSD

                    I don't forward any requests to extenal nameservers, as advised in the documentation I used for my OS.

                    > if you do not make recursion at your own thats may be the reason
                    > because if your LAN dns is forwarding to 8.8.8.8 and more and
                    > more peole are doing this 8.8.8.8 will be more and more rate-controlled
                    >
                    > AND do NOT forward to any ISP-DNS
                    > they are all not trustable/relieable

                    I agree with you there and certainly don't do that.
                  • Alex
                    Hi, ... If bind works okay, and any errors seem to be related to spamhaus itself, does it really warrant changing it to another name server? I read a little
                    Message 9 of 14 , Nov 10, 2012
                    • 0 Attachment
                      Hi,

                      > If you are running a local recursing resolver, such as pdns-recursor, on
                      > this host, then the IP of this host is relevant to Spamhaus.

                      If bind works okay, and any errors seem to be related to spamhaus
                      itself, does it really warrant changing it to another name server?

                      I read a little about it, and see they have an RPM. I have bind
                      configured to use the root servers, and it's running okay, so I don't
                      know that I need to change it.

                      > The issue is likely that the configured DNS resolvers are public servers
                      > that have been banned by Spamhaus in the past. As others have mentioned
                      > there are many ISP type DNS resolvers that are not allowed to query
                      > Spamhaus' servers.

                      Yes, I've changed postscreen to use the host given to me specifically,
                      and it seems to be working okay.

                      I should have mentioned that I was only using the public DNS servers
                      during testing, before I realized spamhaus had my server blocked.

                      >> Thanks so much for everyone's help.
                      >
                      > You're welcome "Alex". ;) Apologies if I 'leaked' any details you may
                      > not have wanted public, but since I'm maintaining your anonymity I
                      > figured this would be fine.

                      Nah, not worried. I think I'm a good judge of character :-)

                      Thanks again for your help. Nearly all of the last two weeks without
                      power, yet I managed to support my network remotely with hardly the
                      customers being impacted, and their users had absolutely no idea. I'd
                      say this old sysadmin did pretty darn good :-)
                    • Stan Hoeppner
                      ... Your bind setup should be fine. There s probably no need to change anything. ... To be clear, Spamhaus only blocks queries from DNS resolvers. So you re
                      Message 10 of 14 , Nov 11, 2012
                      • 0 Attachment
                        On 11/10/2012 7:32 PM, Alex wrote:

                        >> If you are running a local recursing resolver, such as pdns-recursor, on
                        >> this host, then the IP of this host is relevant to Spamhaus.
                        >
                        > If bind works okay, and any errors seem to be related to spamhaus
                        > itself, does it really warrant changing it to another name server?
                        >
                        > I read a little about it, and see they have an RPM. I have bind
                        > configured to use the root servers, and it's running okay, so I don't
                        > know that I need to change it.

                        Your bind setup should be fine. There's probably no need to change
                        anything.

                        >> The issue is likely that the configured DNS resolvers are public servers
                        >> that have been banned by Spamhaus in the past. As others have mentioned
                        >> there are many ISP type DNS resolvers that are not allowed to query
                        >> Spamhaus' servers.
                        >
                        > Yes, I've changed postscreen to use the host given to me specifically,
                        > and it seems to be working okay.
                        >
                        > I should have mentioned that I was only using the public DNS servers
                        > during testing, before I realized spamhaus had my server blocked.

                        To be clear, Spamhaus only blocks queries from DNS resolvers. So you're
                        saying your bind server was being blocked? Or you were using AT&T or
                        Quest resolvers, for example?

                        >>> Thanks so much for everyone's help.
                        >>
                        >> You're welcome "Alex". ;) Apologies if I 'leaked' any details you may
                        >> not have wanted public, but since I'm maintaining your anonymity I
                        >> figured this would be fine.
                        >
                        > Nah, not worried. I think I'm a good judge of character :-)

                        :)

                        > Thanks again for your help. Nearly all of the last two weeks without
                        > power, yet I managed to support my network remotely with hardly the
                        > customers being impacted, and their users had absolutely no idea. I'd
                        > say this old sysadmin did pretty darn good :-)

                        Indeed.

                        --
                        Stan
                      Your message has been successfully submitted and would be delivered to recipients shortly.