[Sysadmins] DNS issues

Alan Doherty alan at alandoherty.net
Fri Mar 28 15:01:49 GMT 2014


At 12:00 28/03/2014  Friday, you wrote:
>Date: Thu, 27 Mar 2014 14:59:48 +0000
>From: Harry Duncan <usr.src.linux at gmail.com>
>
>Message-ID:
>        <CAHAPYVC+jAJj-q64izLVFOQogZLOf-dSLZzXhkE_bwa8eMTEbg at mail.gmail.com>
>Content-Type: text/plain; charset="iso-8859-1"
>
>Been seeing a lot of DNS lookup errors in my mailserver logs for valid .ie
>domains, and some .coms
>
>Mailserver was slaved off "Irish Broadband" DNS servers at the data center,

should be running its own or slaved off datacentre/ip providers non-desktop* resolvers 

>which I changed to Google open access DNS,

bad bad idea on a mailserver to use an open resolver**

> and the problem has largely disappeared.

that one has others may just not be evident

>Been monitoring it, and got a repeat of the error for a single .ie that was
>sending in mail.

did you check that .ie for whether it was the cause of the issue?
(could you offer it for us to cast an eye over)

>Also noticed this week that the IEDR has been slower than usual on
>actioning requests, could be totally unreleated.
>
>Anybody else noticing DNS oddness lately?

always oddness somewhere in my logs but no increase that i've seen



* desktop resolvers vs non-desktop resolvers
many modern consumer isps offer 2 classes of dns resolvers
(for the server class dns servers you usually have to dig deep)
the default designed to use with desktops which can/will lie 
(eg lookup www.not-a-chance-does-this-exist.com and you get a lie of xx.xx.xx.xx that is their search/site-not-found page, or lookup www.malware-infested.com and equally get lied to to end up on their warning site)
these are useful to desktop browsers.
but are massively disruptive if mis configured mail servers use them as every check of does some-stupid-domain.com passes (as every domain has an A for the 'does domain have either an A of MX' check) 
also dnsbl responses always return an erroneous positive as their returned nxdomain always gets forged into am A record response

** open dns should never be used with an mta
as most rbls (an arguably important tool in most mailservers/spamassasin/etc) will either not work or fail for many open dns servers
as open dns servers regularly exceed the free usage capping that those dnsbl providers run
(as illustrated by most ppl being unable to use zen.spamhaus.org via google in the past, though recently it does seem better) 




More information about the Sysadmins mailing list