From owner-freebsd-stable Thu Jan 11 13:44:15 2001 Delivered-To: freebsd-stable@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 4E40537B404 for ; Thu, 11 Jan 2001 13:43:48 -0800 (PST) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by smtp1.sentex.ca (8.11.1/8.11.1) with ESMTP id f0BLhae40979; Thu, 11 Jan 2001 16:43:37 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.0.1.4.0.20010111153833.01e40e30@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Thu, 11 Jan 2001 16:37:44 -0500 To: Mike Andrews , stable@FreeBSD.ORG From: Mike Tancsa Subject: Re: Weird sporadic DNS resolution problems In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I have noticed the same thing, and posted the same question a while back to stable, and now recently to freebsd-isp. I am starting to wonder if its a FreeBSD/Sendmail interaction thing, as the same version of sendmail running on a LINUX box, asking the FreeBSD name server does not run into this problem. ---Mike At 12:21 PM 1/11/01 -0500, Mike Andrews wrote: >I'm having a bizarre DNS resolution problem that I'm having a hell of a >time tracking down. Someone tell me I'm just being stupid. :) > >For a few months now, I'm *sporadically* unable to resolve *some* external >domains. This started happening approximately between 4.1.1-RELEASE and >4.2-RELEASE, when I believe Bind 8 was upgraded in the source tree. (I >don't remember the exact date, sorry) > >Here's what appears to be going on: > >When one (but not both) of the nameservers for a domain replies >non-authoritatively, named will cache a negative response, rather than >asking the other nameserver. Subsequent lookups return an immediate >failure. Restarting the nameserver, and then immediately querying the >same problematic domain DOES work, but only the first query. After a few >minutes/hours the domain stops working again. > >This is especially chronic because Sendmail tries to resolve domains on >incoming email (for spam protection purposes)... it will give "Domain of >sender address foo@bar does not resolve" and return a 451 code. This >causes the other end to retry periodically, unless the other end is >something like Outlook Express, in which case the customer calls me and >complains. :) > >One example domain is "farmersfrankfort.com". This was moved from us to >another site yesterday, but we still do MX for them. Looking at whois and >at the root servers, you can see that their two new nameservers are now >"cerberus.sbscorp.com" and "ns1.qwest.net". Querying the sbscorp server >works great, querying qwest doesn't -- it appears Quest never added them >to their nameserver config at all. (It has been only about 24 hours, so >it's not *too* surprising I guess...) Anyway, when someone on one of our >dialups tries to send mail with @farmersfrankfort.com on the end, our >Sendmail is unable to resolve it and rejects the message. If I restart >(not reload) named, it will start working for a while, then die on its own >again. My theory is that if it happens to query sbscorp it's happy, if it >happens to query qwest it isn't, and caches the fact that it isn't. > >Another example is "setel.com" and "se-tel.com". We sometimes have >problems exchanging mail with them because one of their DNS servers >appears to be answering non-authoritatively. Again, I can flush my >backlog by restarting named and immediately running the sendmail queue >manually (and I could probably flush their backlog by telnetting to their >SMTP port and issuing an ETRN)... but obviously that's not exactly >elegant :) > >I've tried adding "max-ncache-ttl 1" to my named config, hoping it would >help. It didn't. > >In one sense this is "not my problem" because their name server shouldn't >be answering non-authoritatively in the first place. But the fact that >this started happening after a make world a few months ago, and that I >feel it should be a slight bit more tolerant of other people's sloppy >configurations, makes it my problem. > >Anyone have any ideas as to what's going on, or can tell me what debugging >output to enable that I could send here that would help figure it out? >Configuration options to named that would revert to older behavior? A >whack on the head? (I could just compile an older named I guess, but I >fear opening up security holes/DoS attacks.) > > >Mike Andrews * mandrews@dcr.net * mandrews@bit0.com * http://www.bit0.com >VP, sysadmin, & network guy, Digital Crescent Inc, Frankfort KY >Internet access for Frankfort, Lexington, Louisville and surrounding counties >www.fark.com: If it's not news, it's Fark. (Or something like that.) > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message