On Wed, 2015-05-13 at 13:49 -0400, Kris Deugau wrote: > Chris wrote: > > Not upset about the 'noise', to my untrained eye it looks to me as if > > the lookups are failing: > > > > chris@localhost:/var/log$ grep 'connection refused' /var/log/syslog|grep > > sorbs|awk '{ print $10; }'|sort|uniq -c > > 1 '11.1.4.96.dnsbl.sorbs.net/A/IN': > > 1 '114.210.57.173.dnsbl.sorbs.net/A/IN': > > 1 '139.207.161.25.dnsbl.sorbs.net/A/IN': > > 1 '183.163.46.207.dnsbl.sorbs.net/A/IN': > > 1 '54.139.130.12.dnsbl.sorbs.net/A/IN': > > 2 'aftershock.sorbs.net/A/IN': > > 2 'cannonball.sorbs.net/A/IN': > > 2 'ns0.sorbs.net/A/IN': > > 1 'ns2.sorbs.net/AAAA/IN': > > 3 'ns2.sorbs.net/A/IN': > > 1 'ns4.sorbs.net/AAAA/IN': > > 3 'ns4.sorbs.net/A/IN': > > > > The above is just from todays syslog starting at 7:40 this morning. > > Try print $11 in the awk (this prints the 11th "field" or non-whitespace > chunk); that should show the failing server IP instead of the lookup. > Your log seems to have another non-whitespace blob somewhere earlier in > the line compared to mine, where the remote server IP is the 10th field: > > May 13 07:52:57 hex named[3790]: connection refused resolving > '130.102.149.83.dnsbl.sorbs.net/A/IN': 174.36.235.174#53 > > Also try doing the lookups that appear to fail with dig or host, and see > if the actual client lookup succeeds or fails; just because one > nameserver for a zone refused the connection doesn't mean the actual > lookup failed. > > I tried the first 5 above plus a couple more from my own log, and all > returned NXDOMAIN - except one lookup took a few seconds to return, so > it probably hit one of those nameservers that's not accepting connections. > > > I really don't want to suppress the syslog entries nor do I not want to > > query SORBS, I would just like to figure out why the connection is > > refused. > > The particular nameservers refusing connections are either failed or > overloaded. A big DNSBL like SORBS has many nameservers, and it's > likely that each entry from eg "dig dnsbl.sorbs.net ns" is a cluster of > machines. > > -kgd
I'll answer several questions in this post hopefully. First, the line in my resolv.conf fire search PK5001Z, pertains to my Zyxel PK5001Z modem, so as a test I've commented out that line in my /etc/resolv.conf and ran sudo resolvconf -u. If it makes a difference I'll make the appropriate changes elsewhere to make it permanent. As far as running something other than Bind, I'd run it for many years on my old Mandriva box before it crashed. Once I got it up and running (with some help from the Bind users list) I never had one single problem. chris@localhost:~$ grep 'connection refused' /var/log/syslog.1|grep sorbs|awk '{ print $11; }'|sort|uniq -c 2 113.52.8.150#53 8 174.36.198.233#53 14 174.36.235.174#53 9 67.228.187.34#53 Again, to my untrained eye this shows less info than using $10 in the awk statement. A spam came through a bit ago and this was in the SA markup: 0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [70.197.75.74 listed in dnsbl.sorbs.net] Looking back at my spam folder this was the markup on a spam that came in earlier today before I made the change to my resolv.conf and commented out the 'search' line: 0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [70.197.79.50 listed in dnsbl.sorbs.net] The output as shown in my syslog is attached which shows named[1091]: error (connection refused) resolving '50.79.197.70.dnsbl.sorbs.net/A/IN': 174.36.235.174#53 Am I screwed up in the head here and it's working as shown in the markup above or is the queries to SORBS not working and I need to fix something? Chris -- Chris KeyID 0xE372A7DA98E6705C 31.11°N 97.89°W (Elev. 1092 ft) 14:46:02 up 2 days, 8:55, 3 users, load average: 0.06, 0.21, 0.22 Ubuntu 14.04.2 LTS, kernel 4.0.0-997-generic #201503310205 SMP Tue Mar 31 02:07:04 UTC 2015
May 13 13:41:52 localhost spamd[7746]: spamd: connection from ip6-localhost [::1]:32843 to port 783, fd 6 May 13 13:41:52 localhost spamd[7746]: spamd: setuid to chris succeeded May 13 13:41:52 localhost spamd[7746]: spamd: processing message <d6.e0.17575.18a93...@mx02.agate.dfw.synacor.com> for chris:1000 May 13 13:41:52 localhost clamd[1975]: Accepted connection from 127.0.0.1 on port 1764, fd 13 May 13 13:41:52 localhost named[1091]: error (connection refused) resolving '50.79.197.70.dnsbl.sorbs.net/A/IN': 174.36.235.174#53 May 13 13:42:02 localhost spamd[7746]: spamd: identified spam (25.8/5.0) for chris:1000 in 9.7 seconds, 21097 bytes. May 13 13:42:02 localhost spamd[7746]: spamd: result: Y 25 - ANY_BOUNCE_MESSAGE,AWL,BAYES_99,BAYES_999,BODY_URI_ONLY,BOTNET,BOUNCE_MESSAGE,DKIM_ADSP_NXDOMAIN,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,MISSING_HEADERS,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_NONE,RELAYED_BY_DIALUP,T_REMOTE_IMAGE,UNPARSEABLE_RELAY,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_WS_SURBL scantime=9.7,size=21097,user=chris,uid=1000,required_score=5.0,rhost=ip6-localhost,raddr=::1,rport=32843,mid=<d6.e0.17575.18a93...@mx02.agate.dfw.synacor.com>,bayes=1.000000,autolearn=disabled