Chris wrote: > I'll answer several questions in this post hopefully. > First, the line in my resolv.conf fire search PK5001Z, pertains to my > Zyxel PK5001Z modem, so as a test I've commented out that line in > my /etc/resolv.conf and ran sudo resolvconf -u. If it makes a difference > I'll make the appropriate changes elsewhere to make it permanent.
I'm mildly allergic to resolvconf as it seems to Do The Wrong Thing any time I've let it have its way. Otherwise your DNS cache appears to be set up correctly. The search line is a red herring since it's only used, as David Jones pointed out, on lookups with a tool like host or dig where you've just specified a host part. > As far as running something other than Bind, I'd run it for many years > on my old Mandriva box before it crashed. Once I got it up and running > (with some help from the Bind users list) I never had one single > problem. *nod* I continue to use it on my own server and as a LAN cache because I'm familiar with it and its minor warts don't cause issue. (And one arguable misfeature makes certain parts of managing my own LAN DNS a little simpler.) About all switching would do is give you minor headaches learning the new configuration, and probably fresh new confusing log entries. > chris@localhost:~$ grep 'connection refused' /var/log/syslog.1|grep > sorbs|awk '{ print $11; }'|sort|uniq -c > 2 113.52.8.150#53 > 8 174.36.198.233#53 > 14 174.36.235.174#53 > 9 67.228.187.34#53 > > Again, to my untrained eye this shows less info than using $10 in the > awk statement. >From your logs, $10 (the tenth blob of non-whitespace) is the lookup that was attempted. $11 is the remote server your cache tried first and got refused by. That looks like essentially the same list as I found, so it looks like SORBS has a number of bad servers. I checked the list of nameservers returned by "host -t ns dnsbl.sorbs.net", and I find it curious that only the first one seems to actually be in that list, but given the scale they're operating on I can imagine several reasons an apparently uninvolved IP would be responding for their DNSBL subzone. There's nothing on your end to do other than fiddle with logging to hide the noise; so long as what you're looking up in DNS can be found on another server, your "client" lookups (either by hand with host, dig, etc or by eg SpamAssassin) will succeed. > A spam came through a bit ago and this was in the SA markup: > > 0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP > address > [70.197.75.74 listed in dnsbl.sorbs.net] score RCVD_IN_SORBS_DUL 0 0.001 0 0.001 This is an advisory rule, mainly used in meta rules. > Looking back at my spam folder this was the markup on a spam that came > in earlier today before I made the change to my resolv.conf and > commented out the 'search' line: > > 0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP > address > [70.197.79.50 listed in dnsbl.sorbs.net] > > The output as shown in my syslog is attached which shows > > named[1091]: error (connection refused) resolving > '50.79.197.70.dnsbl.sorbs.net/A/IN': 174.36.235.174#53 Your BIND cache tried to look up "50.79.197.70.dnsbl.sorbs.net" from 174.36.235.174, but was refused, so it tried another nameserver and got a response (I get 127.0.0.10 as of writing). It's not so great that one or more of their nameservers is refusing queries, but their DNSBL data is served from 13 or more logical servers as listed by "host -t ns dnsbl.sorbs.net", and it's likely there's more than one physical machine for each of those NS listings. It's only a problem when a zone only *has* one listed nameserver, or *all* of the nameservers refuse queries. In that case you can't get an answer, but otherwise your cache (of any flavour) should walk the list of nameservers until it gets a response of some kind. > Am I screwed up in the head here and it's working as shown in the markup > above or is the queries to SORBS not working and I need to fix > something? The problem is with a couple of SORBS nameservers, your cache is just reporting the problem before retrying the query with another one from the list. SpamAssassin (or any other client doing a DNS lookup) doesn't know and doesn't care. What you're seeing logged by BIND is a transient failure that only slows down lookups in dnsbl.sorbs.net. -kgd