Hi, I've been experiencing these weird "Name service error" problems
for a month or so and can't figure out what's causing them.
Sep 13 10:04:59 mail03 postfix/dnsblog[30902]: warning: dnsblog_query:
lookup error for DNS query 25.188.223.216.b.barracudacentral.org: Host
or domain name not found. Name service error for
name=25.188.223.216.b.barracudacentral.org type=A: Host not found, try
again
Sep 13 10:04:59 mail03 postfix/dnsblog[30920]: warning: dnsblog_query:
lookup error for DNS query 25.188.223.216.score.senderscore.com: Host
or domain name not found. Name service error for
name=25.188.223.216.score.senderscore.com type=A: Host not found, try
again
Sep 13 10:04:59 bwimail03 postfix/dnsblog[22943]: warning:
dnsblog_query: lookup error for DNS query
25.188.223.216.bl.mailspike.net: Host or domain name not found. Name
service error for name=25.188.223.216.bl.mailspike.net type=A: Host
not found, try again
Is there a way to enable some form of enhanced debugging just for dnsblog?
I've traced the packets using wireshark and they all appear to occur
on 127.0.0.1 (as that's how /etc/resolv.conf is configured), and the
packet trace is uninteresting. There's no real information as to why
the packet is listed as "server failure".
This is a pretty active mail server, with as many as 800 queries/sec
during peak, I believe. This is on a fedora28 system with
postfix-3.3.1 and bind-9.11.4 configured as a basic caching name
server with recursion enabled. This is on a 20mbit business-class
cable modem.
I've also included one of those packet traces. I realize this may not
be a postfix problem, but I'm hoping it can help to elucidate more of
what's happening.
No. Time Source Destination
Protocol Length Info
9083 11.730327 127.0.0.1 127.0.0.1 DNS
104 Standard query response 0xded6 Server failure A
25.188.223.216.wl.mailspike.net OPT
Frame 9083: 104 bytes on wire (832 bits), 104 bytes captured (832 bits)
Encapsulation type: Linux cooked-mode capture (25)
Arrival Time: Sep 13, 2018 15:46:36.633305000 EDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1536867996.633305000 seconds
[Time delta from previous captured frame: 0.000969000 seconds]
[Time delta from previous displayed frame: 0.006367000 seconds]
[Time since reference or first frame: 11.730327000 seconds]
Frame Number: 9083
Frame Length: 104 bytes (832 bits)
Capture Length: 104 bytes (832 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: sll:ethertype:ip:udp:dns]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Linux cooked capture
Packet type: Unicast to us (0)
Link-layer address type: 772
Link-layer address length: 6
Source: 00:00:00_00:00:00 (00:00:00:00:00:00)
Unused: 6fc0
Protocol: IPv4 (0x0800)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable
Transport (0)
Total Length: 88
Identification: 0x2dff (11775)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0x4e94 [validation disabled]
[Header checksum status: Unverified]
Source: 127.0.0.1
Destination: 127.0.0.1
User Datagram Protocol, Src Port: 53, Dst Port: 12304
Source Port: 53
Destination Port: 12304
Length: 68
Checksum: 0xfe57 [unverified]
[Checksum Status: Unverified]
[Stream index: 320]
Domain Name System (response)
Transaction ID: 0xded6
Flags: 0x8182 Standard query response, Server failure
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an
authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... 1... .... = Recursion available: Server can do
recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority
portion was not authenticated by the server
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0010 = Reply code: Server failure (2)
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 1
Queries
25.188.223.216.wl.mailspike.net: type A, class IN
Name: 25.188.223.216.wl.mailspike.net
[Name Length: 31]
[Label Count: 7]
Type: A (Host Address) (1)
Class: IN (0x0001)
Additional records
<Root>: type OPT
Name: <Root>
Type: OPT (41)
UDP payload size: 4096
Higher bits in extended RCODE: 0x00
EDNS0 version: 0
Z: 0x0000
0... .... .... .... = DO bit: Cannot handle DNSSEC security RRs
.000 0000 0000 0000 = Reserved: 0x0000
Data length: 0
[Unsolicited: True]
