>> Does the 'test' address work? See >> https://www.spamhaus.org/faq/section/DNSBL%20Usage#366 >> >> $ dig +short 2.0.0.127.zen.spamhaus.org @DNS.server >> >> for relevant values of 'DNS.server' including 127.0.0.1. > > dig @127.0.0.1 1.0.0.127.zen.spamhaus.org +short > ; <<>> DiG 9.14.8 <<>> @127.0.0.1 1.0.0.127.zen.spamhaus.org +short > ; (1 server found) > ;; global options: +cmd > ;; connection timed out; no servers could be reached > > dig @127.0.0.1 denic.de +short a > 81.91.170.12 > > A dig to query other domains for whatever records does work, so i > guess it's not a firewall issue. > Beside this i tried disabling my firewall for a moment of second to > doublecheck if my firewall has problem. > No changes, still not reaching zen.spamhaus.org. > UDP/TCP 53 is open at switch/router-level and my server too.
The dns servers provided by Hetzner will not work because nearly every server uses them by default. That means spamhaus sees queries from those ips that are way over their free usage limit and thus block them. Generally it works using a resolver with your local ip but this is not guaranteed. It may be blocked as well e.g. if another customer used that ip before you got it. Just check if you get dns answers: [root@server ~]# tcpdump -nn port 53 & [root@server ~]# dig @127.0.0.1 2.0.0.127.zen.spamhaus.org +short 18:06:32.663886 IP x.x.x.x.4818 > y.y.y.y.53: 40771% [1au] A? 2.0.0.127.zen.spamhaus.org. (55) 18:06:32.705869 IP y.y.y.y.53 > x.x.x.x.4818: 40771*- 3/0/0 A 127.0.0.2, A 127.0.0.10, A 127.0.0.4 (92) 127.0.0.10 127.0.0.4 127.0.0.2 ... Btw. you should query 2.0.0.127.zen.spamhaus.org not 1.0.0.127.zen.spamhaus.org If you don't get a response, your ip is most likely blocked by spamhaus. In case you have a second server you could try it there and if it works, configure your resolver to accept queries from your first server. Or you could try with a new server (they have very affordable cloud servers). Best regards Gerald
