On 18 Sep 2017, at 12:14, Chris wrote: [...] > On Mon, 2017-09-18 at 11:11 -0400, Bill Cole wrote: >> Why are you asking 168.150.251.35 to do DNS resolution for you? It is >> not authoritative for isipp.com, so presumably you have a specific >> local config causing you to use it. It is explicitly refusing to do >> DNS resolution for you. > > I honestly have no idea where that came about.
Do you have a local caching recursive DNS resolver? NOT dnsmasq and not anything configured to forward anywhere: A *REAL* recursive caching DNS resolver. Are you allowing DHCP or some other dynamic network configuration tool control your /etc/resolv.conf? What's in your /etc/resolv.conf? If you want to run a working mail server, particularly one that uses DNSBLs of any sort, you need a local (same machine or at worst same physical LAN) caching recursive DNS resolver. /etc/resolv.conf should be static and contain the line "nameserver 127.0.0.1" and probably nothing else. > I know that on Saturday > I was seeing this: > > SERVFAIL unexpected RCODE resolving > '121.244.54.142.iadb.isipp.com/A/IN': 67.227.187.192#53 Which means that you asked 67.227.187.192 (ns2.ns.isipp.com, which is authoritative for iadb.isipp.com.) for the A record of 121.244.54.142.iadb.isipp.com (a DNSBL query) but that DNS server was broken in some way and couldn't provide any meaningful reliable answer other than "I'm Broken!" Stuff happens. > Then yesterday I started seeing > > named[1284]: REFUSED unexpected RCODE resolving 'isipp.com/NS/IN': > 168.150.251.35#53 Which means that you asked 168.150.251.35 (which has 2 names: dcn-colo-251-35.dcn.davis.ca.us and iannet.net) for the NS record for isipp.com. There's no clear reason for you to do that based on the public DNS for isipp.com. It's response to your query was explicitly "GET LOST!" > So to be honest I have no idea where it's coming from. Something > appears to be messed up somewhere to be sure. However, I've made > absolutely no changes to anything. But you've had things changed, right? By which I mean: you have a dynamic IP. That implies DHCP, which also can change your DNS resolver(s). This is a thing you should not allow it to do if you are running a mail server, especially if your dynamic IP might come from random unrelated networks, some of which impose a DNS resolver on you and others which may not. So you COULD end up changing networks and hence IP address but retaining a stale entry in /etc/resolv.conf that points to a machine that will not answer queries from your new IP. (And yes, the bottom line is: DO NOT EXPECT TO BE ABLE TO RUN A STABLE USEFUL MAIL SERVER WITHOUT A STATIC IP!)
signature.asc
Description: OpenPGP digital signature
