On Wed, 2015-05-13 at 13:49 -0400, Kris Deugau wrote:
> Chris wrote:
> > Not upset about the 'noise', to my untrained eye it looks to me as if
> > the lookups are failing:
> >
> > chris@localhost:/var/log$ grep 'connection refused' /var/log/syslog|grep
> > sorbs|awk '{ print $10; }'|sort|uniq -c
> > 1 '11.1.4.96.dnsbl.sorbs.net/A/IN':
> > 1 '114.210.57.173.dnsbl.sorbs.net/A/IN':
> > 1 '139.207.161.25.dnsbl.sorbs.net/A/IN':
> > 1 '183.163.46.207.dnsbl.sorbs.net/A/IN':
> > 1 '54.139.130.12.dnsbl.sorbs.net/A/IN':
> > 2 'aftershock.sorbs.net/A/IN':
> > 2 'cannonball.sorbs.net/A/IN':
> > 2 'ns0.sorbs.net/A/IN':
> > 1 'ns2.sorbs.net/AAAA/IN':
> > 3 'ns2.sorbs.net/A/IN':
> > 1 'ns4.sorbs.net/AAAA/IN':
> > 3 'ns4.sorbs.net/A/IN':
> >
> > The above is just from todays syslog starting at 7:40 this morning.
>
> Try print $11 in the awk (this prints the 11th "field" or non-whitespace
> chunk); that should show the failing server IP instead of the lookup.
> Your log seems to have another non-whitespace blob somewhere earlier in
> the line compared to mine, where the remote server IP is the 10th field:
>
> May 13 07:52:57 hex named[3790]: connection refused resolving
> '130.102.149.83.dnsbl.sorbs.net/A/IN': 174.36.235.174#53
>
> Also try doing the lookups that appear to fail with dig or host, and see
> if the actual client lookup succeeds or fails; just because one
> nameserver for a zone refused the connection doesn't mean the actual
> lookup failed.
>
> I tried the first 5 above plus a couple more from my own log, and all
> returned NXDOMAIN - except one lookup took a few seconds to return, so
> it probably hit one of those nameservers that's not accepting connections.
>
> > I really don't want to suppress the syslog entries nor do I not want to
> > query SORBS, I would just like to figure out why the connection is
> > refused.
>
> The particular nameservers refusing connections are either failed or
> overloaded. A big DNSBL like SORBS has many nameservers, and it's
> likely that each entry from eg "dig dnsbl.sorbs.net ns" is a cluster of
> machines.
>
> -kgd
I'll answer several questions in this post hopefully.
First, the line in my resolv.conf fire search PK5001Z, pertains to my
Zyxel PK5001Z modem, so as a test I've commented out that line in
my /etc/resolv.conf and ran sudo resolvconf -u. If it makes a difference
I'll make the appropriate changes elsewhere to make it permanent.
As far as running something other than Bind, I'd run it for many years
on my old Mandriva box before it crashed. Once I got it up and running
(with some help from the Bind users list) I never had one single
problem.
chris@localhost:~$ grep 'connection refused' /var/log/syslog.1|grep
sorbs|awk '{ print $11; }'|sort|uniq -c
2 113.52.8.150#53
8 174.36.198.233#53
14 174.36.235.174#53
9 67.228.187.34#53
Again, to my untrained eye this shows less info than using $10 in the
awk statement.
A spam came through a bit ago and this was in the SA markup:
0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
[70.197.75.74 listed in dnsbl.sorbs.net]
Looking back at my spam folder this was the markup on a spam that came
in earlier today before I made the change to my resolv.conf and
commented out the 'search' line:
0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
[70.197.79.50 listed in dnsbl.sorbs.net]
The output as shown in my syslog is attached which shows
named[1091]: error (connection refused) resolving
'50.79.197.70.dnsbl.sorbs.net/A/IN': 174.36.235.174#53
Am I screwed up in the head here and it's working as shown in the markup
above or is the queries to SORBS not working and I need to fix
something?
Chris
--
Chris
KeyID 0xE372A7DA98E6705C
31.11°N 97.89°W (Elev. 1092 ft)
14:46:02 up 2 days, 8:55, 3 users, load average: 0.06, 0.21, 0.22
Ubuntu 14.04.2 LTS, kernel 4.0.0-997-generic #201503310205 SMP Tue Mar
31 02:07:04 UTC 2015
May 13 13:41:52 localhost spamd[7746]: spamd: connection from ip6-localhost
[::1]:32843 to port 783, fd 6
May 13 13:41:52 localhost spamd[7746]: spamd: setuid to chris succeeded
May 13 13:41:52 localhost spamd[7746]: spamd: processing message
<d6.e0.17575.18a93...@mx02.agate.dfw.synacor.com> for chris:1000
May 13 13:41:52 localhost clamd[1975]: Accepted connection from 127.0.0.1 on
port 1764, fd 13
May 13 13:41:52 localhost named[1091]: error (connection refused) resolving
'50.79.197.70.dnsbl.sorbs.net/A/IN': 174.36.235.174#53
May 13 13:42:02 localhost spamd[7746]: spamd: identified spam (25.8/5.0) for
chris:1000 in 9.7 seconds, 21097 bytes.
May 13 13:42:02 localhost spamd[7746]: spamd: result: Y 25 -
ANY_BOUNCE_MESSAGE,AWL,BAYES_99,BAYES_999,BODY_URI_ONLY,BOTNET,BOUNCE_MESSAGE,DKIM_ADSP_NXDOMAIN,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,MISSING_HEADERS,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_NONE,RELAYED_BY_DIALUP,T_REMOTE_IMAGE,UNPARSEABLE_RELAY,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_WS_SURBL
scantime=9.7,size=21097,user=chris,uid=1000,required_score=5.0,rhost=ip6-localhost,raddr=::1,rport=32843,mid=<d6.e0.17575.18a93...@mx02.agate.dfw.synacor.com>,bayes=1.000000,autolearn=disabled
