Re: repeated rejection of lookups of bad name

Hi Ross,

On Sun, Nov 11, 2007 at 10:47:13AM -0800, Ross Boylan wrote:
A few days ago I received a message with a return path of
berendbrothers.com@xxxxxxxxxxxxxxxxxxx
exim4's data ACL rejected the message.

[...]

Since then, every hour at 2 minutes after the hour I get the
named[xxxx]: unexpected RCODE (REFUSED) resolving
'palmcoastcondo.com/TXT/IN': ::1#53
message.

Googling indicates this means that a DNS query is going to ::1, which I
think is IPv6 for localhost, and the DNS server (which is mine) is
rejecting the query.

I believe that your DNS server is reporting an error code it is
receiving from the auth. servers for palmcoastcondo.com.

Why is this happening? That is,
1. why is the query being generated every hour? The timing seems to
coincide with hourly runs of logcheck.

It is probably being checked by spamassassin's URIBL module as it
appears in email going to you.

2. why is it looking for ::1#53 as the DNS server? I have not
configured bind9 to accept queries on ::1. So the question isn't why
it's being rejected, but why that location is being queried.

I imagine that your named is listening on all interfaces. What is
in /etc/resolv.conf?

3. How can I stop these queries?

There are several ways. For example you could:

- stop receiving email with that domain name in it.

- Turn off URIBL queries

but instead I would recommend ignoring it, and taking steps to make
ignoring it easier.

Also, my logcheck rules aren't filtering th unexpected RCODE messages
out. I suspect they should, but the reason will probably be clear by
inspecting them.

Usually when I have problems like this with logcheck it is because
the message also matches something in the "violations" files, which
are positive matches. I would take a guess at "REFUSED" being in
/etc/logcheck/violations.d/logcheck.

Cheers,
Andy

--
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB

Attachment: signature.asc
Description: Digital signature

Relevant Pages

  • Re: Non-existent A record being returned...
    ... ; Query 1 ... These DNS servers are set up to forward queries to two other DNS ... Nslookup has it's own resolver service, and doesn't rely or use Windows resolver service, or the local cache, but rather directly queries DNS, where I'm assuming you're referring to clearing the DNS server cache? ...
    (microsoft.public.windows.server.dns)
  • Re: Win2K DNS cannot query BIND 9
    ... cannot query any of our domains. ... > coming into the firewall and I can see the queries logged in the BIND ... So are you saying the Windows DNS cannot get an answer to a referral to your ...
    (microsoft.public.win2000.dns)
  • Re: MX failure - going to A record
    ... I wonder if this is a problem with a broken Micro$oft DNS ... I think this may be caused when sendmail queries the quad A ... record for mindspring.com and gets a query failure. ...
    (comp.mail.sendmail)
  • repeated rejection of lookups of bad name
    ... Googling indicates this means that a DNS query is going to::1, ... rejecting the query. ... How can I stop these queries? ... my logcheck rules aren't filtering th unexpected RCODE messages ...
    (Debian-User)
  • Re: Cannot join domain
    ... The DNS SRV record is not registered in DNS. ... When I do the nslookup query with MYDOMAIN.lan it works fine but of ... spelling of the zone in DNS? ...
    (microsoft.public.windows.server.networking)