Spamhaus Win 2008 DNS server - ORF Forums

We upgraded our internal DNS servers to Win 2008 this weekend. I've noticed that spamhaus DNS lookups now fail. The message below is what I see in the logs. I've also noticed that an nslookup doesn't return 127.0.0.2 or Non-existent domain, it now returns a valid IP address. Not sure if this is related.

Version: 4.4 REGISTERED
Log Mode: Verbose
Server: ati-ntmail.archtest.com
Source: SMTPSVC-1
Time: 3/7/2011 11:45:30 AM
Class: System Message
Severity: Warning
Actions: (not available)
Filtering Point: Before Arrival
HELO/EHLO Domain: (not available)
Related IP Address: 74.10.7.148
Message ID: (not available)
Email Subject: (not available)
Sender:
Recipient(s):
* <removed>
Message:
DNS error. Test: "DNSBL: SPAMHAUS-ZEN", server: "100.100.100.9", domain: "148.7.10.74.zen.spamhaus.org", record type: A, protocol: UDP. Server response: DNS server or domain failure (SERVFAIL, RCODE 2).

Digging a bit more, I beleive it is because the new DNS servers are using our comcast cable modem as the default gateway to the internet. We have two gateways, and previously the DNS servers were using the other. I think spamhaus is block all queries from comcast.

I was sure that was the answer, but when I contacted Spamhaus they told me I was incorrect and they specifically looked up my IP address and said it was not being blocked.

Interestly when I do an NSlookup on spamhaus.org I receive a reply but when I do it on zen.spamhaus.org it fails. I'm still not sure what is going on. I'm going to dig more and if I find an answer I'll post it.

It was the eDNS that Krisztian mentioned in his post. Turning it off fixed the problem.

I was experiencing this problem awhile back myself and after applying the eDNS settings, setting the MaxCacheTTL registry value to 172800 and the restarting the "DNS Server" service on all of our Server 2008 R2 Domain Controllers, the issue with failed DNS queries to spamhaus seemed to ease up for awhle. We still experienced them every one in awhile but it wasn't so bad. Now suddenly over the last week or so, we are experiencing a high amount of these failures again. I know for sure we have not exceede the fair use policy. We are way under the allowed amounts of queries and I can also confirm that we are not using DNS forwarders on on DNS servers.

What I am noticing in our ORF logs is that I will see 8 x SERVVAIL, RCODE 2 DNS query attempts to either SURBL: SAPMHAS-DBL or DNSBL-SPAMHAUS-ZEN and then the 9th one makes it through as "Email passed checks".

Still confused as to why this fails so often.

@Krisztián Fekete (Vamsoft): The only DNS errors I do see in the logs are Spamhaus related (either SURBL: SPAMHAUS-DBL or DNSBL: SPAMHAUS-ZEN). Last night I disabled the "Spamhaus ZEN" DNS Blacklist and found that this morning the only errors remaining were SURBL: SPAMHAUS-DBL. I have decided to now disable that one as well as I am finding that any Spamhaus test just seems to be too unreliable for us. I have enabled a couple other test in light of this.

I currently have the following enabled in total and wanted to know if this is sufficient in light of not having any Spamhaus tests enabled and if there are any other combinations that are recommended:

DNS Blacklists Enabled:
1. Baracuda Reputation Block List
2. SORBS Combined List
3. SpamCopy Blocking List
4. SpamRats! Dyna List - just added after disabling Spamhaus
5. SpamRats! NoPtr List - just added after disabling Spamhaus
6. Unsubscribe Blacklist (UBL) Resources - just added after disabling Spamhaus

SURBL Tests Enabled
1. SURBL: Combined SURBLE list
2. SURBL: SpamCopy web sites - just added after disabling Spamhaus
3. urble.com Blacklist

I was getting the exact same thing with Spamhaus and ORF. I disabled it as well. I'm still on ORF 4.4 if that matters.