On Wed, 2015-05-13 at 18:59 -0400, Kris Deugau wrote:
> Chris wrote:
>
> > I'll answer several questions in this post hopefully.
> > First, the line in my resolv.conf fire search PK5001Z, pertains to my
> > Zyxel PK5001Z modem, so as a test I've commented out that line in
> > my /etc/resolv.conf and ran sudo resolvconf -u. If it makes a difference
> > I'll make the appropriate changes elsewhere to make it permanent.
>
> I'm mildly allergic to resolvconf as it seems to Do The Wrong Thing any
> time I've let it have its way. Otherwise your DNS cache appears to be
> set up correctly.
>
> The search line is a red herring since it's only used, as David Jones
> pointed out, on lookups with a tool like host or dig where you've just
> specified a host part.
>
> > As far as running something other than Bind, I'd run it for many years
> > on my old Mandriva box before it crashed. Once I got it up and running
> > (with some help from the Bind users list) I never had one single
> > problem.
>
> *nod* I continue to use it on my own server and as a LAN cache because
> I'm familiar with it and its minor warts don't cause issue. (And one
> arguable misfeature makes certain parts of managing my own LAN DNS a
> little simpler.) About all switching would do is give you minor
> headaches learning the new configuration, and probably fresh new
> confusing log entries.
>
> > chris@localhost:~$ grep 'connection refused' /var/log/syslog.1|grep
> > sorbs|awk '{ print $11; }'|sort|uniq -c
> > 2 113.52.8.150#53
> > 8 174.36.198.233#53
> > 14 174.36.235.174#53
> > 9 67.228.187.34#53
> >
> > Again, to my untrained eye this shows less info than using $10 in the
> > awk statement.
>
> From your logs, $10 (the tenth blob of non-whitespace) is the lookup
> that was attempted. $11 is the remote server your cache tried first and
> got refused by.
>
> That looks like essentially the same list as I found, so it looks like
> SORBS has a number of bad servers. I checked the list of nameservers
> returned by "host -t ns dnsbl.sorbs.net", and I find it curious that
> only the first one seems to actually be in that list, but given the
> scale they're operating on I can imagine several reasons an apparently
> uninvolved IP would be responding for their DNSBL subzone.
>
> There's nothing on your end to do other than fiddle with logging to hide
> the noise; so long as what you're looking up in DNS can be found on
> another server, your "client" lookups (either by hand with host, dig,
> etc or by eg SpamAssassin) will succeed.
>
> > A spam came through a bit ago and this was in the SA markup:
> >
> > 0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
> > address
> > [70.197.75.74 listed in dnsbl.sorbs.net]
>
> score RCVD_IN_SORBS_DUL 0 0.001 0 0.001
>
> This is an advisory rule, mainly used in meta rules.
>
> > Looking back at my spam folder this was the markup on a spam that came
> > in earlier today before I made the change to my resolv.conf and
> > commented out the 'search' line:
> >
> > 0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
> > address
> > [70.197.79.50 listed in dnsbl.sorbs.net]
> >
> > The output as shown in my syslog is attached which shows
> >
> > named[1091]: error (connection refused) resolving
> > '50.79.197.70.dnsbl.sorbs.net/A/IN': 174.36.235.174#53
>
> Your BIND cache tried to look up "50.79.197.70.dnsbl.sorbs.net" from
> 174.36.235.174, but was refused, so it tried another nameserver and got
> a response (I get 127.0.0.10 as of writing).
>
> It's not so great that one or more of their nameservers is refusing
> queries, but their DNSBL data is served from 13 or more logical servers
> as listed by "host -t ns dnsbl.sorbs.net", and it's likely there's more
> than one physical machine for each of those NS listings.
>
> It's only a problem when a zone only *has* one listed nameserver, or
> *all* of the nameservers refuse queries. In that case you can't get an
> answer, but otherwise your cache (of any flavour) should walk the list
> of nameservers until it gets a response of some kind.
>
> > Am I screwed up in the head here and it's working as shown in the markup
> > above or is the queries to SORBS not working and I need to fix
> > something?
>
> The problem is with a couple of SORBS nameservers, your cache is just
> reporting the problem before retrying the query with another one from
> the list. SpamAssassin (or any other client doing a DNS lookup) doesn't
> know and doesn't care.
>
> What you're seeing logged by BIND is a transient failure that only slows
> down lookups in dnsbl.sorbs.net.
>
> -kgd
>
I understand now Kris, I guess I've been going on about nothing
basically as like you said if the reply from one server fails it tries
another and so on. I don't mind the logging to syslog and I guess I
should have realized awhile back that not every query in every message
fails but it just didn't hit me that way. I guess this happens when you
get old, little things tend to bother you.
Thanks again
Chris
--
Chris
KeyID 0xE372A7DA98E6705C
31.11°N 97.89°W (Elev. 1092 ft)
19:32:07 up 1:23, 1 user, load average: 0.12, 0.18, 0.19
Ubuntu 14.04.2 LTS, kernel 4.0.0-997-generic #201503310205 SMP Tue Mar
31 02:07:04 UTC 2015
