On Thu, Sep 13, 2018 at 6:16 PM Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > > > > > On Sep 13, 2018, at 6:11 PM, Alex <mysqlstud...@gmail.com> wrote: > > > > Hi, I've been experiencing these weird "Name service error" problems > > for a month or so and can't figure out what's causing them. > > > > Sep 13 10:04:59 mail03 postfix/dnsblog[30902]: warning: dnsblog_query: > > lookup error for DNS query 25.188.223.216.b.barracudacentral.org: Host > > or domain name not found. Name service error for > > name=25.188.223.216.b.barracudacentral.org type=A: Host not found, try > > again > > Your resolver cannot resolve the address and returns SERVFAIL. Perhaps > the RBLs you're using are no longer willing to process your queries. > > The traffic of interest is not between Postfix and your resolver, but > between your resolver and various nameservers on the public Internet.
Is it common practice for these RBLs to just block instead of responding with an actual error? I believe they always result in some type of timeout associated with the query. Notice this one's reached the 30s max. Here's an entry from my bind logs: 13-Sep-2018 21:12:37.892 query-errors: info: client @0x7f84dc36a110 127.0.0.1#63311 (10.215.119.216.bb.barracudacentral.org): query failed (SERVFAIL) for 10.215.119.216.bb.barracudacentral.org/IN/A at ../../../bin/named/query.c:8580 13-Sep-2018 21:12:37.892 query-errors: debug 2: fetch completed at ../../../lib/dns/resolver.c:3927 for 10.215.119.216.bb.barracudacentral.org/A in 30.000149: timed out/success [domain:bb.barracudacentral.org,referral:0,restart:6,qrysent:15,timeout:8,lame:0,quota:0,neterr:2,badresp:0,adberr:0,findfail:0,valfail:0] There's also a 'connection refused' entry associated with this one: 13-Sep-2018 21:12:11.487 lame-servers: info: connection refused resolving '10.215.119.216.bb.barracudacentral.org/A/IN': 64.235.145.15#53 There are also thousands of successful entries using the same bb.barracudacentral.org RBL. Also, if I try and query it now, it succeeds (or at least it doesn't timeout and returns NXDOMAIN). # dig +trace +nodnssec 10.215.119.216.bb.barracudacentral.org ; <<>> DiG 9.11.4-P1-RedHat-9.11.4-5.P1.fc28 <<>> +trace +nodnssec 10.215.119.216.bb.barracudacentral.org ;; global options: +cmd . 1066 IN NS f.root-servers.net. . 1066 IN NS j.root-servers.net. . 1066 IN NS h.root-servers.net. . 1066 IN NS b.root-servers.net. . 1066 IN NS e.root-servers.net. . 1066 IN NS c.root-servers.net. . 1066 IN NS i.root-servers.net. . 1066 IN NS l.root-servers.net. . 1066 IN NS d.root-servers.net. . 1066 IN NS m.root-servers.net. . 1066 IN NS a.root-servers.net. . 1066 IN NS k.root-servers.net. . 1066 IN NS g.root-servers.net. ;; Received 839 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS b0.org.afilias-nst.org. org. 172800 IN NS b2.org.afilias-nst.org. org. 172800 IN NS c0.org.afilias-nst.info. org. 172800 IN NS d0.org.afilias-nst.org. ;; Received 469 bytes from 192.203.230.10#53(e.root-servers.net) in 117 ms barracudacentral.org. 86400 IN NS a2.verisigndns.com. barracudacentral.org. 86400 IN NS a3.verisigndns.com. barracudacentral.org. 86400 IN NS a1.verisigndns.com. ;; Received 133 bytes from 199.19.54.1#53(b0.org.afilias-nst.org) in 89 ms bb.barracudacentral.org. 86400 IN NS geons02.barracudacentral.org. bb.barracudacentral.org. 86400 IN NS geons01.barracudacentral.org. ;; Received 207 bytes from 69.36.145.33#53(a3.verisigndns.com) in 45 ms ;; expected opt record in response ;; Received 56 bytes from 64.235.150.189#53(geons01.barracudacentral.org) in 31 ms
