On Sun, Oct 12, 2008 at 7:24 PM, MacShane, Tracy <[EMAIL PROTECTED]> wrote: >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Wolfe >> Sent: Saturday, 11 October 2008 5:58 AM >> To: postfix-users@postfix.org >> Subject: cannot find reverse hostname for ip with enormous result >> >> Hello, >> >> We use reject_unknown_client to fail messages from hosts with no rDNS. >> We have a situation with the host 216.163.249.229, which >> give the following results: >> >> >> NOQUEUE: reject: RCPT from unknown[216.163.249.229]: 450 >> 4.7.1 Client host rejected: cannot find your reverse >> hostname, [216.163.249.229]; >> >> There actually is reverse DNS for this address... 239 PTR records! >> using 'host' returns them all, with a warning: >> >> ;; Truncated, retrying in TCP mode. >> .. and then all the results >> >> So I guess the result is so large that UDP cannot contain it, >> and within postfix the TCP method either isn't being tried or >> isn't working. Is this a problem with my resolver or >> something I can fix in postfix? The lookup does work on this >> machine using 'host' with the above error. >> >> -Aaron >> > > While there may be problems with the fact that some of the PTRs are > unresolvable, I also suggest checking what might be thought of as the > obvious, namely, that your firewall is not blocking *UDP* DNS lookup. > > I had this same problem a few months back, and didn't initially think to > ask the question. It turned out that our external firewall (maintained > by a separate group) was only permitting TCP queries. The problem didn't > emerge until we tried resolving hosts with many multiple PTRs (36 for > one particular host); the 10s of thousands of other DNS queries were > working perfectly. Enabling UDP over port 53 fixed things for that one > host as if by magic. >
In this case, there is no problem doing the lookup from the mail server with 'host', so probably not a firewall issue. Also, I think you might have misinterpreted the results of the firewall change made in your case. TCP is allowable (although not recommended) for all queries, and UDP is the protocol which cannot hold large results. I think it's more likely that the remote DNS server did not allow TCP queries (which is their error, not yours). -Aaron
