On Wed, 2015-05-13 at 18:59 -0400, Kris Deugau wrote: > Chris wrote: > > > I'll answer several questions in this post hopefully. > > First, the line in my resolv.conf fire search PK5001Z, pertains to my > > Zyxel PK5001Z modem, so as a test I've commented out that line in > > my /etc/resolv.conf and ran sudo resolvconf -u. If it makes a difference > > I'll make the appropriate changes elsewhere to make it permanent. > > I'm mildly allergic to resolvconf as it seems to Do The Wrong Thing any > time I've let it have its way. Otherwise your DNS cache appears to be > set up correctly. > > The search line is a red herring since it's only used, as David Jones > pointed out, on lookups with a tool like host or dig where you've just > specified a host part. > > > As far as running something other than Bind, I'd run it for many years > > on my old Mandriva box before it crashed. Once I got it up and running > > (with some help from the Bind users list) I never had one single > > problem. > > *nod* I continue to use it on my own server and as a LAN cache because > I'm familiar with it and its minor warts don't cause issue. (And one > arguable misfeature makes certain parts of managing my own LAN DNS a > little simpler.) About all switching would do is give you minor > headaches learning the new configuration, and probably fresh new > confusing log entries. > > > chris@localhost:~$ grep 'connection refused' /var/log/syslog.1|grep > > sorbs|awk '{ print $11; }'|sort|uniq -c > > 2 113.52.8.150#53 > > 8 174.36.198.233#53 > > 14 174.36.235.174#53 > > 9 67.228.187.34#53 > > > > Again, to my untrained eye this shows less info than using $10 in the > > awk statement. > > From your logs, $10 (the tenth blob of non-whitespace) is the lookup > that was attempted. $11 is the remote server your cache tried first and > got refused by. > > That looks like essentially the same list as I found, so it looks like > SORBS has a number of bad servers. I checked the list of nameservers > returned by "host -t ns dnsbl.sorbs.net", and I find it curious that > only the first one seems to actually be in that list, but given the > scale they're operating on I can imagine several reasons an apparently > uninvolved IP would be responding for their DNSBL subzone. > > There's nothing on your end to do other than fiddle with logging to hide > the noise; so long as what you're looking up in DNS can be found on > another server, your "client" lookups (either by hand with host, dig, > etc or by eg SpamAssassin) will succeed. > > > A spam came through a bit ago and this was in the SA markup: > > > > 0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP > > address > > [70.197.75.74 listed in dnsbl.sorbs.net] > > score RCVD_IN_SORBS_DUL 0 0.001 0 0.001 > > This is an advisory rule, mainly used in meta rules. > > > Looking back at my spam folder this was the markup on a spam that came > > in earlier today before I made the change to my resolv.conf and > > commented out the 'search' line: > > > > 0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP > > address > > [70.197.79.50 listed in dnsbl.sorbs.net] > > > > The output as shown in my syslog is attached which shows > > > > named[1091]: error (connection refused) resolving > > '50.79.197.70.dnsbl.sorbs.net/A/IN': 174.36.235.174#53 > > Your BIND cache tried to look up "50.79.197.70.dnsbl.sorbs.net" from > 174.36.235.174, but was refused, so it tried another nameserver and got > a response (I get 127.0.0.10 as of writing). > > It's not so great that one or more of their nameservers is refusing > queries, but their DNSBL data is served from 13 or more logical servers > as listed by "host -t ns dnsbl.sorbs.net", and it's likely there's more > than one physical machine for each of those NS listings. > > It's only a problem when a zone only *has* one listed nameserver, or > *all* of the nameservers refuse queries. In that case you can't get an > answer, but otherwise your cache (of any flavour) should walk the list > of nameservers until it gets a response of some kind. > > > Am I screwed up in the head here and it's working as shown in the markup > > above or is the queries to SORBS not working and I need to fix > > something? > > The problem is with a couple of SORBS nameservers, your cache is just > reporting the problem before retrying the query with another one from > the list. SpamAssassin (or any other client doing a DNS lookup) doesn't > know and doesn't care. > > What you're seeing logged by BIND is a transient failure that only slows > down lookups in dnsbl.sorbs.net. > > -kgd > I understand now Kris, I guess I've been going on about nothing basically as like you said if the reply from one server fails it tries another and so on. I don't mind the logging to syslog and I guess I should have realized awhile back that not every query in every message fails but it just didn't hit me that way. I guess this happens when you get old, little things tend to bother you.
Thanks again Chris -- Chris KeyID 0xE372A7DA98E6705C 31.11°N 97.89°W (Elev. 1092 ft) 19:32:07 up 1:23, 1 user, load average: 0.12, 0.18, 0.19 Ubuntu 14.04.2 LTS, kernel 4.0.0-997-generic #201503310205 SMP Tue Mar 31 02:07:04 UTC 2015