Question regarding DNSBL behaviour

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Question regarding DNSBL behaviour

J Doe
Hello,

I have a question regarding DNSBL usage with the main.cf smtpd_client_restrictions parameter.

I have a server configured to check SpamHaus:

main.cf
        . . .
        smtpd_client_restrictions = reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],
        . . .

This has been working very well, although I noticed the following error in my syslog:

Sep  7 16:13:08 server postfix/smtpd[28363]: warning: 188.50.102.94.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=188.50.102.94.zen.spamhaus.org type=A: Host not found, try again

I am wondering - in normal checks against SpamHaus, if a host is not listed and the result is NXDOMAIN, I am assuming that Postfix interprets that the host is “ok” and does not log any information.  In this case, though, it has logged the information and I am wondering if this is because Postfix was unable to contact SpamHaus at all, not just regarding the record: 188.50.102.94.zen.spamhaus.org ?

Thanks,

- J

Reply | Threaded
Open this post in threaded view
|

Re: Question regarding DNSBL behaviour

Noel Jones-2
On 9/10/2019 1:44 PM, J Doe wrote:

> Hello,
>
> I have a question regarding DNSBL usage with the main.cf smtpd_client_restrictions parameter.
>
> I have a server configured to check SpamHaus:
>
> main.cf
> . . .
> smtpd_client_restrictions = reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],
> . . .
>
> This has been working very well, although I noticed the following error in my syslog:
>
> Sep  7 16:13:08 server postfix/smtpd[28363]: warning: 188.50.102.94.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=188.50.102.94.zen.spamhaus.org type=A: Host not found, try again
>
> I am wondering - in normal checks against SpamHaus, if a host is not listed and the result is NXDOMAIN, I am assuming that Postfix interprets that the host is “ok” and does not log any information.  In this case, though, it has logged the information and I am wondering if this is because Postfix was unable to contact SpamHaus at all, not just regarding the record: 188.50.102.94.zen.spamhaus.org ?
>
> Thanks,
>
> - J
>


Lookup error: means something didn't work; your DNS told postfix it
couldn't find spamhaus at all, but it was a temporary error so try
again.  Postfix will ignore the result.

If you get this rarely, it's nothing to worry about.  If it happens
often, there may be a problem with your DNS server or network
connection.



   -- Noel Jones


Reply | Threaded
Open this post in threaded view
|

Re: Question regarding DNSBL behaviour

J Doe
>> Hello,
>> I have a question regarding DNSBL usage with the main.cf smtpd_client_restrictions parameter.
>> I have a server configured to check SpamHaus:
>> main.cf
>> . . .
>> smtpd_client_restrictions = reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],
>> . . .
>> This has been working very well, although I noticed the following error in my syslog:
>> Sep  7 16:13:08 server postfix/smtpd[28363]: warning: 188.50.102.94.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=188.50.102.94.zen.spamhaus.org type=A: Host not found, try again
>> I am wondering - in normal checks against SpamHaus, if a host is not listed and the result is NXDOMAIN, I am assuming that Postfix interprets that the host is “ok” and does not log any information.  In this case, though, it has logged the information and I am wondering if this is because Postfix was unable to contact SpamHaus at all, not just regarding the record: 188.50.102.94.zen.spamhaus.org ?
>> Thanks,
>> - J
>
>
> Lookup error: means something didn't work; your DNS told postfix it couldn't find spamhaus at all, but it was a temporary error so try again.  Postfix will ignore the result.
>
> If you get this rarely, it's nothing to worry about.  If it happens often, there may be a problem with your DNS server or network connection.
>
>  -- Noel Jones

Hi Noel,

Thanks for your reply.  Ok, that’s what I was thinking - that it was a temporary DNS error for contacting SpamHaus, not SpamHaus saying that address was not listed.  Just wanted to double-check.

- J

Reply | Threaded
Open this post in threaded view
|

Re: Question regarding DNSBL behaviour

Wietse Venema
In reply to this post by J Doe
J Doe:
> Sep  7 16:13:08 server postfix/smtpd[28363]: warning: 188.50.102.94.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=188.50.102.94.zen.spamhaus.org type=A: Host not found, try again
>
> I am wondering - in normal checks against SpamHaus, if a host is not listed and the result is NXDOMAIN, I am assuming that Postfix interprets that the host is ?ok? and does not log any information.  In this case, though, it has logged the information and I am wondering if this is because Postfix was unable to contact SpamHaus at all, not just regarding the record: 188.50.102.94.zen.spamhaus.org ?
>

This service is free for low-volume clients only. If you send your
Spamhaus queries through a shared DNS resolver (like an ISP), then
you may exceed their 'free service' limits. You may be better off
using your own DNS resolver.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding DNSBL behaviour

Benny Pedersen-2
In reply to this post by J Doe
J Doe skrev den 2019-09-10 21:09:

> Thanks for your reply.  Ok, that’s what I was thinking - that it was a
> temporary DNS error for contacting SpamHaus, not SpamHaus saying that
> address was not listed.  Just wanted to double-check.

http://multirbl.valli.org/lookup/94.102.50.188.html

no PTR, no problem
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding DNSBL behaviour

J Doe
In reply to this post by Wietse Venema

>> Sep  7 16:13:08 server postfix/smtpd[28363]: warning: 188.50.102.94.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=188.50.102.94.zen.spamhaus.org type=A: Host not found, try again
>>
>> I am wondering - in normal checks against SpamHaus, if a host is not listed and the result is NXDOMAIN, I am assuming that Postfix interprets that the host is ?ok? and does not log any information.  In this case, though, it has logged the information and I am wondering if this is because Postfix was unable to contact SpamHaus at all, not just regarding the record: 188.50.102.94.zen.spamhaus.org ?
>>
>
> This service is free for low-volume clients only. If you send your
> Spamhaus queries through a shared DNS resolver (like an ISP), then
> you may exceed their 'free service' limits. You may be better off
> using your own DNS resolver.
>
> Wietse

Hi Wietse,

Yes, that is a good point.  I believe I’m ok regarding query limits - I do run my own resolver for this server and the amount of e-mail that transits this particular server is very low.

- J
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding DNSBL behaviour

Bill Cole-3
In reply to this post by J Doe
On 10 Sep 2019, at 14:44, J Doe wrote:

> Hello,
>
> I have a question regarding DNSBL usage with the main.cf
> smtpd_client_restrictions parameter.
>
> I have a server configured to check SpamHaus:
>
> main.cf
> . . .
> smtpd_client_restrictions = reject_rbl_client
> zen.spamhaus.org=127.0.0.[2..11],
> . . .
>
> This has been working very well, although I noticed the following
> error in my syslog:
>
> Sep  7 16:13:08 server postfix/smtpd[28363]: warning:
> 188.50.102.94.zen.spamhaus.org: RBL lookup error: Host or domain name
> not found. Name service error for name=188.50.102.94.zen.spamhaus.org
> type=A: Host not found, try again

A common cause of this is is if your DNS resolver thinks that you have
IPv6 connectivity (e.g. because you have an autoconfigured interface or
a VPN with an IPv6 address) but you really do not. The extensive
collection of DNS servers handling the zen.spamhaus.org zone includes
many names that have as many AAAA records as they do A records and if
your resolvers tries one of those, you get a message as above.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding DNSBL behaviour

J Doe

On Sep 10, 2019, at 4:41 PM, Bill Cole <[hidden email]> wrote:

Hello,

I have a question regarding DNSBL usage with the main.cf smtpd_client_restrictions parameter.

I have a server configured to check SpamHaus:

main.cf
. . .
smtpd_client_restrictions = reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],
. . .

This has been working very well, although I noticed the following error in my syslog:

Sep  7 16:13:08 server postfix/smtpd[28363]: warning: 188.50.102.94.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=188.50.102.94.zen.spamhaus.org type=A: Host not found, try again

A common cause of this is is if your DNS resolver thinks that you have IPv6 connectivity (e.g. because you have an autoconfigured interface or a VPN with an IPv6 address) but you really do not. The extensive collection of DNS servers handling the zen.spamhaus.org zone includes many names that have as many AAAA records as they do A records and if your resolvers tries one of those, you get a message as above.

Hi Bill,

Thanks for your reply.  Interesting.  In this case, the DNS resolver I use is one that I run on the mailserver itself, which has IPv4/IPv6 connectivity.  I know this host can successfully access both as we send and receive Gmail mostly over IPv6 whereas most other traffic is delivered over IPv4.  With the SMTP traffic handling both ok I would assume that my DNS resolver is also ok (I haven’t made any configuration changes to Bind to make it prefer IPv4 or IPv6 when it performs recursive lookups) ?

Thanks,

- J