Chris wrote:
> I'll answer several questions in this post hopefully.
> First, the line in my resolv.conf fire search PK5001Z, pertains to my
> Zyxel PK5001Z modem, so as a test I've commented out that line in
> my /etc/resolv.conf and ran sudo resolvconf -u. If it makes a difference
> I'll make the appropriate changes elsewhere to make it permanent.
I'm mildly allergic to resolvconf as it seems to Do The Wrong Thing any
time I've let it have its way. Otherwise your DNS cache appears to be
set up correctly.
The search line is a red herring since it's only used, as David Jones
pointed out, on lookups with a tool like host or dig where you've just
specified a host part.
> As far as running something other than Bind, I'd run it for many years
> on my old Mandriva box before it crashed. Once I got it up and running
> (with some help from the Bind users list) I never had one single
> problem.
*nod* I continue to use it on my own server and as a LAN cache because
I'm familiar with it and its minor warts don't cause issue. (And one
arguable misfeature makes certain parts of managing my own LAN DNS a
little simpler.) About all switching would do is give you minor
headaches learning the new configuration, and probably fresh new
confusing log entries.
> chris@localhost:~$ grep 'connection refused' /var/log/syslog.1|grep
> sorbs|awk '{ print $11; }'|sort|uniq -c
> 2 113.52.8.150#53
> 8 174.36.198.233#53
> 14 174.36.235.174#53
> 9 67.228.187.34#53
>
> Again, to my untrained eye this shows less info than using $10 in the
> awk statement.
>From your logs, $10 (the tenth blob of non-whitespace) is the lookup
that was attempted. $11 is the remote server your cache tried first and
got refused by.
That looks like essentially the same list as I found, so it looks like
SORBS has a number of bad servers. I checked the list of nameservers
returned by "host -t ns dnsbl.sorbs.net", and I find it curious that
only the first one seems to actually be in that list, but given the
scale they're operating on I can imagine several reasons an apparently
uninvolved IP would be responding for their DNSBL subzone.
There's nothing on your end to do other than fiddle with logging to hide
the noise; so long as what you're looking up in DNS can be found on
another server, your "client" lookups (either by hand with host, dig,
etc or by eg SpamAssassin) will succeed.
> A spam came through a bit ago and this was in the SA markup:
>
> 0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
> address
> [70.197.75.74 listed in dnsbl.sorbs.net]
score RCVD_IN_SORBS_DUL 0 0.001 0 0.001
This is an advisory rule, mainly used in meta rules.
> Looking back at my spam folder this was the markup on a spam that came
> in earlier today before I made the change to my resolv.conf and
> commented out the 'search' line:
>
> 0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
> address
> [70.197.79.50 listed in dnsbl.sorbs.net]
>
> The output as shown in my syslog is attached which shows
>
> named[1091]: error (connection refused) resolving
> '50.79.197.70.dnsbl.sorbs.net/A/IN': 174.36.235.174#53
Your BIND cache tried to look up "50.79.197.70.dnsbl.sorbs.net" from
174.36.235.174, but was refused, so it tried another nameserver and got
a response (I get 127.0.0.10 as of writing).
It's not so great that one or more of their nameservers is refusing
queries, but their DNSBL data is served from 13 or more logical servers
as listed by "host -t ns dnsbl.sorbs.net", and it's likely there's more
than one physical machine for each of those NS listings.
It's only a problem when a zone only *has* one listed nameserver, or
*all* of the nameservers refuse queries. In that case you can't get an
answer, but otherwise your cache (of any flavour) should walk the list
of nameservers until it gets a response of some kind.
> Am I screwed up in the head here and it's working as shown in the markup
> above or is the queries to SORBS not working and I need to fix
> something?
The problem is with a couple of SORBS nameservers, your cache is just
reporting the problem before retrying the query with another one from
the list. SpamAssassin (or any other client doing a DNS lookup) doesn't
know and doesn't care.
What you're seeing logged by BIND is a transient failure that only slows
down lookups in dnsbl.sorbs.net.
-kgd
