Is anyone else having name service errors with barracudacentral.org?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Is anyone else having name service errors with barracudacentral.org?

deoren
Hi all,

On March 21st I noticed these entries in my mail log and I'm not able to
pinpoint the source of the trouble:

warning: x.x.x.x.b.barracudacentral.org: RBL lookup error: Host or
domain name not found. Name service error for
name=x.x.x.x.b.barracudacentral.org type=A: Host not found, try again

By that point I hadn't made any changes to the Postfix config in several
weeks (looked back through old mail logs and the entries were not there)
and Postfix had been restarted several times since then. Knowing that I
had to register the nameservers that my box uses through their website,
I looked back over their "How to Use" guide here:

   http://www.barracudacentral.org/rbl/how-to-use

and found that they offer an easy test to make sure that DNS resolution
is working properly:

Command: host 2.0.0.127.b.barracudacentral.org
  Result: 2.0.0.127.b.barracudacentral.org has address 127.0.0.2

I get the proper results, the zen.spamhaus.org entry I have is working
fine and I've seen no DNS resolution errors in the logs for other
daemons I run on the box so I'm somewhat at a loss. I also have no other
nameserver entries on my box aside from the two entries that are already
registerd with barracudacentral.org.

Is there anything obvious I can check?

Thank you for your time.

Reply | Threaded
Open this post in threaded view
|

Re: Is anyone else having name service errors with barracudacentral.org?

Viktor Dukhovni
On Wed, Mar 26, 2014 at 08:57:54AM -0500, deoren wrote:

> On March 21st I noticed these entries in my mail log and I'm not able to
> pinpoint the source of the trouble:
>
> warning: x.x.x.x.b.barracudacentral.org: RBL lookup error: Host or domain
> name not found. Name service error for name=x.x.x.x.b.barracudacentral.org
> type=A: Host not found, try again

Your nameserver logs from that time may shed more light on the reason,
but RBLs are sometimes unavailable due to DDoS, and routing problems can
happen due to bad BGP data, ...  that was then and this is now.  The
fact that it works now just means that the transient problem is gone.

> Is there anything obvious I can check?

log entries from your recursive resolver on whichever machine it
resides on (ideally local to the MTA host).

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Is anyone else having name service errors with barracudacentral.org?

Stan Hoeppner
On 3/26/2014 10:46 AM, Viktor Dukhovni wrote:

> On Wed, Mar 26, 2014 at 08:57:54AM -0500, deoren wrote:
>
>> On March 21st I noticed these entries in my mail log and I'm not able to
>> pinpoint the source of the trouble:
>>
>> warning: x.x.x.x.b.barracudacentral.org: RBL lookup error: Host or domain
>> name not found. Name service error for name=x.x.x.x.b.barracudacentral.org
>> type=A: Host not found, try again
>
> Your nameserver logs from that time may shed more light on the reason,
> but RBLs are sometimes unavailable due to DDoS, and routing problems can
> happen due to bad BGP data, ...  that was then and this is now.  The
> fact that it works now just means that the transient problem is gone.
>
>> Is there anything obvious I can check?
>
> log entries from your recursive resolver on whichever machine it
> resides on (ideally local to the MTA host).

Note these are common with BRBL.  I got a few the very day I added it to
my Postfix config years ago.  I show the following recent resolution
errors for BRBL, the last three trimmed to save space:

Mar 25 15:25:31 greer postfix/smtpd[12892]: warning:
58.0.53.80.b.barracudacentral.org: RBL lookup error: Host or domain name
not found. Name service error for name=58.0.53.80.b.barracudacentral.org
type=A: Host not found, try again

Mar 21 08:05:25 greer postfix/smtpd[28711]: warning:
70.233.116.74.b.barracudacentral.org: RBL lookup error: Host or domain

Mar 21 11:07:38 greer postfix/smtpd[29257]: warning:
70.233.116.74.b.barracudacentral.org: RBL lookup error: Host or domain

Mar  6 05:19:00 greer postfix/smtpd[26724]: warning:
173.197.89.23.b.barracudacentral.org: RBL lookup error: Host or domain

I use powerdns recursor locally on my MX.  It is designed for, targeted
at, extremely high volume query loads, e.g. ISP environments, thus
logging such failures would be useless due to the sheer volume.  Think
web pages containing multiple broken/dead links, then multiply times
millions of page loads per day.

Cheers,

Stan
Reply | Threaded
Open this post in threaded view
|

Re: Is anyone else having name service errors with barracudacentral.org?

deoren
In reply to this post by Viktor Dukhovni


On 2014-03-26 10:46, Viktor Dukhovni wrote:

> On Wed, Mar 26, 2014 at 08:57:54AM -0500, deoren wrote:
>
>> On March 21st I noticed these entries in my mail log and I'm not able
>> to
>> pinpoint the source of the trouble:
>>
>> warning: x.x.x.x.b.barracudacentral.org: RBL lookup error: Host or
>> domain
>> name not found. Name service error for
>> name=x.x.x.x.b.barracudacentral.org
>> type=A: Host not found, try again
>
> Your nameserver logs from that time may shed more light on the reason,
> but RBLs are sometimes unavailable due to DDoS, and routing problems
> can
> happen due to bad BGP data, ...  that was then and this is now.  The
> fact that it works now just means that the transient problem is gone.

Sorry, I did a poor job of communicating that the error started then and
is ongoing. I checked a moment ago and see a fresh entry.

>
>> Is there anything obvious I can check?
>
> log entries from your recursive resolver on whichever machine it
> resides on (ideally local to the MTA host).

In my ignorance I haven't configured recursive resolvers on my mail
servers, but am instead using hosting provider nameservers (which I
registered with barracudacentral.org). I'll research what it takes to
run a local recursive nameserver.

Reply | Threaded
Open this post in threaded view
|

Re: Is anyone else having name service errors with barracudacentral.org?

deoren
In reply to this post by Stan Hoeppner
On 2014-03-26 11:53, Stan Hoeppner wrote:

>
> Note these are common with BRBL.  I got a few the very day I added it
> to
> my Postfix config years ago.  I show the following recent resolution
> errors for BRBL, the last three trimmed to save space:
>
> Mar 25 15:25:31 greer postfix/smtpd[12892]: warning:
> 58.0.53.80.b.barracudacentral.org: RBL lookup error: Host or domain
> name
> not found. Name service error for
> name=58.0.53.80.b.barracudacentral.org
> type=A: Host not found, try again
>
> Mar 21 08:05:25 greer postfix/smtpd[28711]: warning:
> 70.233.116.74.b.barracudacentral.org: RBL lookup error: Host or domain
>
> Mar 21 11:07:38 greer postfix/smtpd[29257]: warning:
> 70.233.116.74.b.barracudacentral.org: RBL lookup error: Host or domain
>
> Mar  6 05:19:00 greer postfix/smtpd[26724]: warning:
> 173.197.89.23.b.barracudacentral.org: RBL lookup error: Host or domain
>
> I use powerdns recursor locally on my MX.  It is designed for, targeted
> at, extremely high volume query loads, e.g. ISP environments, thus
> logging such failures would be useless due to the sheer volume.  Think
> web pages containing multiple broken/dead links, then multiply times
> millions of page loads per day.

Thanks for the recommendation and thanks also for confirming that it
seems to be a widespread thing. I'll look into powerdns recursor
requirements and give it a spin.
Reply | Threaded
Open this post in threaded view
|

Re: Is anyone else having name service errors with barracudacentral.org?

Viktor Dukhovni
On Wed, Mar 26, 2014 at 12:16:50PM -0500, deoren wrote:

> >I use powerdns recursor locally on my MX.  It is designed for, targeted
> >at, extremely high volume query loads, e.g. ISP environments, thus
> >logging such failures would be useless due to the sheer volume.  Think
> >web pages containing multiple broken/dead links, then multiply times
> >millions of page loads per day.
>
> Thanks for the recommendation and thanks also for confirming that it seems
> to be a widespread thing. I'll look into powerdns recursor requirements and
> give it a spin.

You probably don't need a particularly exotic recursive nameserver.
Ones that are optimized for performance, may not be optimized for
security.  If you want something other than BIND consider "unbound".

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Is anyone else having name service errors with barracudacentral.org?

DTNX Postmaster
On 26 Mar 2014, at 19:06, Viktor Dukhovni <[hidden email]> wrote:

> On Wed, Mar 26, 2014 at 12:16:50PM -0500, deoren wrote:
>
>>> I use powerdns recursor locally on my MX.  It is designed for, targeted
>>> at, extremely high volume query loads, e.g. ISP environments, thus
>>> logging such failures would be useless due to the sheer volume.  Think
>>> web pages containing multiple broken/dead links, then multiply times
>>> millions of page loads per day.
>>
>> Thanks for the recommendation and thanks also for confirming that it seems
>> to be a widespread thing. I'll look into powerdns recursor requirements and
>> give it a spin.
>
> You probably don't need a particularly exotic recursive nameserver.
> Ones that are optimized for performance, may not be optimized for
> security.  If you want something other than BIND consider "unbound".

Also, if it does not need to serve network clients, you can bind it to
localhost only.

We use BIND as a local stub resolver on our relay servers, which
intercepts requests to our local rbldnsd, and forwards everything else
to our set of Unbound recursors elsewhere on the network.

Verify that it starts before everything else that is dependent on DNS,
on boot, so it's up when Postfix starts.

Mvg,
Joni