Spamhaus Win 2008 DNS server - ORF Forums

Spamhaus Win 2008 DNS server RSS Back to forum

1

We upgraded our internal DNS servers to Win 2008 this weekend. I've noticed that spamhaus DNS lookups now fail. The message below is what I see in the logs. I've also noticed that an nslookup doesn't return 127.0.0.2 or Non-existent domain, it now returns a valid IP address. Not sure if this is related.

Version: 4.4 REGISTERED
Log Mode: Verbose
Server: ati-ntmail.archtest.com
Source: SMTPSVC-1
Time: 3/7/2011 11:45:30 AM
Class: System Message
Severity: Warning
Actions: (not available)
Filtering Point: Before Arrival
HELO/EHLO Domain: (not available)
Related IP Address: 74.10.7.148
Message ID: (not available)
Email Subject: (not available)
Sender:
Recipient(s):
*
Message:
DNS error. Test: "DNSBL: SPAMHAUS-ZEN", server: "100.100.100.9", domain: "148.7.10.74.zen.spamhaus.org", record type: A, protocol: UDP. Server response: DNS server or domain failure (SERVFAIL, RCODE 2).


by Aaron Wetherhold 8 years ago
2

@Aaron Wetherhold: SERVFAIL, RCODE2 simply means "Server failure - The name server was unable to process this query due to a problem with the name server." I'm not sure why Spamhaus does not work while other DNS-based tests work fine (if I understand the issue correctly), it might be an issue on their end, or you violated the free usage terms and they blocked you (http://www.spamhaus.org/organization/dnsblusage.html).

If that does not explain the problem, you might try the following (possible) solutions:

1. EDNS is enabled by default for the first time in 2008 R2. You might try disabling EDNS probes by issuing the following command:

dnscmd /config /EnableEDNSProbes 0

http://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS

http://technet.microsoft.com/en-us/library/cc787130(v=ws.10).aspx

2. Windows Server 2008 DNS may stop processing some TLDs when using root hints, unless the TTL is set suitably high (see http://support.microsoft.com/kb/968372). You should try setting MaxCacheTTL registry value to 2 days or greater as the article suggests to see if that solves the problem.

Please let us know if any of the above has helped.

by Krisztian Fekete 8 years ago
(in reply to this post)

3

Digging a bit more, I beleive it is because the new DNS servers are using our comcast cable modem as the default gateway to the internet. We have two gateways, and previously the DNS servers were using the other. I think spamhaus is block all queries from comcast.

by Aaron Wetherhold 8 years ago
4

@Aaron Wetherhold: That is very easily possible, because ISP DNS servers aggregate traffic from their network, so they are likely to violate the fair use policy and thus get firewalled out.

by Peter Karsai (ORF Team) 8 years ago
(in reply to this post)

5

I was sure that was the answer, but when I contacted Spamhaus they told me I was incorrect and they specifically looked up my IP address and said it was not being blocked.

Interestly when I do an NSlookup on spamhaus.org I receive a reply but when I do it on zen.spamhaus.org it fails. I'm still not sure what is going on. I'm going to dig more and if I find an answer I'll post it.

by Aaron Wetherhold 8 years ago
6

@Aaron Wetherhold: Thanks Aaron, please keep us posted.

by Peter Karsai (ORF Team) 8 years ago
(in reply to this post)

7

It was the eDNS that Krisztian mentioned in his post. Turning it off fixed the problem.

by Aaron Wetherhold 8 years ago
8

@Aaron Wetherhold: Thanks for the feedback, glad to hear it solved the problem :)

by Krisztian Fekete 8 years ago
(in reply to this post)

9

I was experiencing this problem awhile back myself and after applying the eDNS settings, setting the MaxCacheTTL registry value to 172800 and the restarting the "DNS Server" service on all of our Server 2008 R2 Domain Controllers, the issue with failed DNS queries to spamhaus seemed to ease up for awhle. We still experienced them every one in awhile but it wasn't so bad. Now suddenly over the last week or so, we are experiencing a high amount of these failures again. I know for sure we have not exceede the fair use policy. We are way under the allowed amounts of queries and I can also confirm that we are not using DNS forwarders on on DNS servers.

What I am noticing in our ORF logs is that I will see 8 x SERVVAIL, RCODE 2 DNS query attempts to either SURBL: SAPMHAS-DBL or DNSBL-SPAMHAUS-ZEN and then the 9th one makes it through as "Email passed checks".

Still confused as to why this fails so often.

by marlon.deerr 6 years ago
10

@marlon.deerr: It might be an issue on their end (Spamhaus'), assuming you do not see these errors logged for other DNS-based tests. They are often under DDOS attacks.

by Krisztián Fekete (Vamsoft) 6 years ago
(in reply to this post)

11

@Krisztián Fekete (Vamsoft): The only DNS errors I do see in the logs are Spamhaus related (either SURBL: SPAMHAUS-DBL or DNSBL: SPAMHAUS-ZEN). Last night I disabled the "Spamhaus ZEN" DNS Blacklist and found that this morning the only errors remaining were SURBL: SPAMHAUS-DBL. I have decided to now disable that one as well as I am finding that any Spamhaus test just seems to be too unreliable for us. I have enabled a couple other test in light of this.

I currently have the following enabled in total and wanted to know if this is sufficient in light of not having any Spamhaus tests enabled and if there are any other combinations that are recommended:

DNS Blacklists Enabled:
1. Baracuda Reputation Block List
2. SORBS Combined List
3. SpamCopy Blocking List
4. SpamRats! Dyna List - just added after disabling Spamhaus
5. SpamRats! NoPtr List - just added after disabling Spamhaus
6. Unsubscribe Blacklist (UBL) Resources - just added after disabling Spamhaus

SURBL Tests Enabled
1. SURBL: Combined SURBLE list
2. SURBL: SpamCopy web sites - just added after disabling Spamhaus
3. urble.com Blacklist

by marlon.deerr 6 years ago
(in reply to this post)

12

I was getting the exact same thing with Spamhaus and ORF. I disabled it as well. I'm still on ORF 4.4 if that matters.

by Graham CB 6 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2