> > On Monday, November 22, 2004, 1:13:17 PM, Dallas Engelken wrote: > > I've been troubleshooting a system today that is having > problems with > > SA. It appears their DNS servers will not answer NS > records, and only > > [A] recoreds. A,MX,CNAME,SOA,PTR all work fine (strangest > thing ever)... > > So when SA starts up, the DNS detection code decides that > DNs is not > > available. > > NS records are used by uridnsbl, by default against > sbl.spamhaus.org. A records against SURBLs by urirhsbl and > urirhssub. All three commands are in URIDNSBL.pm. > > I have not looked at the source code, but NS records should > not be checked for SURBL lookups, just A records as you note. > > Perhaps there's some inappropriate code from uridnsbl being > used by urirhssub, etc.? > > BTW, I wonder if this is related to the intermittent FP > reports we get where people are seeing domains hit SURBLs > when they're not actually listed and can't be listed. > > Perhaps NS records are being hit on SURBL lookups??? > > What platform experiences this odd behavior with not > answering NS records? Perhaps we can correlate it with some > of these FP reports. >
Well, the platform is not really the issue here I don't believe... The surrounding platform is. Their SA is running on redhat 7.3, perl 5.6.1. They have this Symantec Raptor software firewall running on an NT box, and for some reason, it doesn't resolve NS resource record queries. Been on the phone with them (symantec) about it, they say they have never supported it in the DNS proxy, but in their new version, support for it is experimental. I was like WTF, its just like any other DNS lookup. So anyways, if you run a 'host -tNS domain.com', you get no answers. Not even a NXDOMAIN. This causes SA to think DNS is not available and not run any network tests unless you hard code it. Even then SURBL does not work because it does a NS lookup before pulling the A records. Dunno why, that's why I'm asking for feedback here. I guess it is possible that even when NS records are properly working on a good setup, that NS's are still being pulled for the URI domains that are being compared against SURBL. Whether this is creating false positives or not is another thing. I'm still trying to figure out how/if the NS lookups are being used in SA as it pertains to SURBL. I realize the NS's are resolved and compared against SBL, and maybe this is why NS's are pulled for all URIs, but its just a DNS lookup that is not needed IMHO... And with lots of URIs to lookup, this could cause it to take twice as long on the surbl lookups. d
