On 1/22/2010 6:18 AM, Stan Hoeppner wrote:

1.  Spamhaus has banned Google Public DNS resolver queries.  I didn't know this
until today.  If Postfix is using Google Public DNS resolvers, rbl queries to
zen.spamhaus.org fail but Postfix (Debian Lenny 2.5.5-1.1) logs NOTHING about
it.  Not the query attempt, not the failure, zilch, nut'n.

Nothing is logged because the DNS server gives an authoritive "does not exist" answer. That's not an error, it is the expected response when a client is not listed in an RBL.

It would be silly to log such events except under debug conditions. At any rate, the log for this would look completely normal; lookup performed, host not listed. The logs would be indistinguishable from any other successful RBL lookup of an unlisted client.

2.  For other dns resolvers that Spamhaus doesn't like, such as a few under the
CenturyLink umbrella (former Embarq/Sprint resolvers) an error is logged, such 

Jan 22 05:27:53 greer postfix/smtpd[19251]: warning: RBL lookup error: Host or domain name not found.
Name service error for name= type=A: Host not
found, try again

An error is logged because this DNS server returned an error.

Obviously this DNS server is configured differently WRT spamhaus lookups.

I'm glad I got this solved.  I really wish that when I was using the Google
resolvers that Postfix would have been logging some kind of errors.  If it had,
I'd have known I had a real problem much sooner.  The total lack of log entries
for ~3 months is what finally jolted me to look into this.  This is a sad state
of affairs.  So the question at this point is, why didn't Postfix log any errors
when NXDOMAIN domain was returned, but did log errors when SERVFAIL is returned?

Test RBL lookups with the published test address. should never be listed, should always be listed.

$ host
Host not found: 3(NXDOMAIN)

$ host has address has address has address

 -- Noel Jones

Reply via email to