Re: [mailop] sorbs DNS problems
On 12/03/2022 11:20, Luis E. Muñoz via mailop wrote: On 11 Mar 2022, at 19:09, Noel Butler via mailop wrote: Firslty yes, seen too many issues with SORBS, we removed them about 3 weeks ago, the problems have been ongoing for months. Just wrapping up a trial with them for a traffic sample. We saw no issues in processing north of 300 million messages. Care to share what issues did you see? We configured a private secondary for this and experienced exactly zero issues. Best regards -lem timeouts, its like a few of their different zones just disappear and reappear hours or days later -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] sorbs DNS problems
Ahoj, Dňa Sat, 12 Mar 2022 10:09:43 +1000 Noel Butler via mailop napísal: > Secondly, like most DNSBL's they probably use rbldnsd, this does not > support TCP, only UDP Sure, that is true for their rbldnsX.sorbs.net (they even responds to version chaos), but not true for their nsX.sorbs.net (at least for those which responds). regards -- Slavko https://www.slavino.sk pgpo4WY_nYC5h.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] sorbs DNS problems
Ahoj, Dňa Fri, 11 Mar 2022 20:20:23 -0500 Luis E. Muñoz via mailop napísal: > Just wrapping up a trial with them for a traffic sample. We saw no > issues in processing north of 300 million messages. Care to share > what issues did you see? The sorbs.net provides 15 NS records, from which at least 4 does not respond at all, thus recursive server has problem to get responses. The unbound (as caching recursive DNS), after it reaches certain count of errors, disables that domain for some time. When it is lucky to select working NS, then it gets response for dnsbl.sorbs.net, which yields another 18 NS, from which 10 doesn't responds. And the disabling repeats. When it is lucky to get that response, then unbound caches it and then it works for some time, until TTL expires. Then it start lottery again from start. This persist for long time, while i did not try to collect exact counts before. > We configured a private secondary for this and experienced exactly > zero issues. We are talking about their public DNS, your private mirror is, ehm, your private mirror. regards -- Slavko https://www.slavino.sk pgpHaS6EK9ae7.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] sorbs DNS problems
On 11 Mar 2022, at 19:09, Noel Butler via mailop wrote: > Firslty yes, seen too many issues with SORBS, we removed them about 3 weeks > ago, the problems have been ongoing for months. Just wrapping up a trial with them for a traffic sample. We saw no issues in processing north of 300 million messages. Care to share what issues did you see? We configured a private secondary for this and experienced exactly zero issues. Best regards -lem ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] sorbs DNS problems
Firslty yes, seen too many issues with SORBS, we removed them about 3 weeks ago, the problems have been ongoing for months. Secondly, like most DNSBL's they probably use rbldnsd, this does not support TCP, only UDP On 12/03/2022 06:17, Slavko via mailop wrote: Ahoj, Dňa Fri, 11 Mar 2022 11:20:24 -0800 Dan Mahoney via mailop napísal: Why are you instead not doing a dig against these ips? It's clear you understand that ICMP may be blocked, so why not use a check method that actually uses the protocol you'd use to query them? (send only to Dan accidentally, resend to ML) I did it manually previous, without results collected, i tried to tcptraceroute too (expecting that they responds to TCP requests), etc. I used ping output to demonstrate the problem. I do not know what dig's return code 9 means: ns0.sorbs.net. 113.52.8.11 dig fail 9 ns2.sorbs.net. 87.106.246.125 dig fail 9 ns4.sorbs.net. 78.153.202.24 dig OK ns5.sorbs.net. 72.12.198.241 dig OK ns1175.dns.dyn.com. 108.59.166.201 dig OK ns2174.dns.dyn.com. 108.59.168.201 dig OK ns3179.dns.dyn.com. 108.59.170.201 dig OK ns4151.dns.dyn.com. 108.59.172.201 dig OK ns9.sorbs.net. 169.48.121.207 dig OK rbldns10.sorbs.net. 185.87.186.55 dig OK rbldns7.sorbs.net. 88.208.216.85 dig OK rbldns0.sorbs.net. 113.52.8.50 dig fail 9 rbldns17.sorbs.net. 210.50.3.173 dig fail 9 rbldns3.sorbs.net. 74.208.146.124 dig fail 9 rbldns16.sorbs.net. 74.53.186.252 dig fail 9 rbldns8.sorbs.net. 89.150.195.2 dig fail 9 rbldns4.sorbs.net. 78.153.202.22 dig OK rbldns15.sorbs.net. 87.106.246.154 dig fail 9 rbldns2.sorbs.net. 72.12.198.247 dig OK rbldns18.sorbs.net. 72.12.198.248 dig OK rbldns14.sorbs.net. 194.134.35.168 dig fail 9 rbldns12.sorbs.net. 74.208.146.124 dig fail 9 rbldns13.sorbs.net. 113.52.8.157 dig fail 9 rbldns6.sorbs.net. 194.134.35.204 dig fail 9 rbldns1.sorbs.net. 78.153.202.21 dig OK rbldns11.sorbs.net. 216.12.212.155 dig fail 9 rbldns9.sorbs.net. 169.48.121.206 dig OK While i didn't compare it side by side with ping, it +- corresponds with ping results, at least in mean, that some responds and some not. Here is one example of result with code 9: ; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> @113.52.8.11 163.44.213.129.safe.dnsbl.sorbs.net ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached regards ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] sorbs DNS problems
Ahoj, Dňa Fri, 11 Mar 2022 11:20:24 -0800 Dan Mahoney via mailop napísal: > Why are you instead not doing a dig against these ips? It's clear > you understand that ICMP may be blocked, so why not use a check > method that actually uses the protocol you'd use to query them? (send only to Dan accidentally, resend to ML) I did it manually previous, without results collected, i tried to tcptraceroute too (expecting that they responds to TCP requests), etc. I used ping output to demonstrate the problem. I do not know what dig's return code 9 means: ns0.sorbs.net. 113.52.8.11 dig fail 9 ns2.sorbs.net. 87.106.246.125 dig fail 9 ns4.sorbs.net. 78.153.202.24 dig OK ns5.sorbs.net. 72.12.198.241 dig OK ns1175.dns.dyn.com. 108.59.166.201 dig OK ns2174.dns.dyn.com. 108.59.168.201 dig OK ns3179.dns.dyn.com. 108.59.170.201 dig OK ns4151.dns.dyn.com. 108.59.172.201 dig OK ns9.sorbs.net. 169.48.121.207 dig OK rbldns10.sorbs.net. 185.87.186.55 dig OK rbldns7.sorbs.net. 88.208.216.85 dig OK rbldns0.sorbs.net. 113.52.8.50 dig fail 9 rbldns17.sorbs.net. 210.50.3.173 dig fail 9 rbldns3.sorbs.net. 74.208.146.124 dig fail 9 rbldns16.sorbs.net. 74.53.186.252 dig fail 9 rbldns8.sorbs.net. 89.150.195.2 dig fail 9 rbldns4.sorbs.net. 78.153.202.22 dig OK rbldns15.sorbs.net. 87.106.246.154 dig fail 9 rbldns2.sorbs.net. 72.12.198.247 dig OK rbldns18.sorbs.net. 72.12.198.248 dig OK rbldns14.sorbs.net. 194.134.35.168 dig fail 9 rbldns12.sorbs.net. 74.208.146.124 dig fail 9 rbldns13.sorbs.net. 113.52.8.157 dig fail 9 rbldns6.sorbs.net. 194.134.35.204 dig fail 9 rbldns1.sorbs.net. 78.153.202.21 dig OK rbldns11.sorbs.net. 216.12.212.155 dig fail 9 rbldns9.sorbs.net. 169.48.121.206 dig OK While i didn't compare it side by side with ping, it +- corresponds with ping results, at least in mean, that some responds and some not. Here is one example of result with code 9: ; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> @113.52.8.11 163.44.213.129.safe.dnsbl.sorbs.net ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached regards -- Slavko https://www.slavino.sk pgpZ2a9arNbcW.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] sorbs DNS problems
Ahoj, Dňa Fri, 11 Mar 2022 13:41:27 -0600 Michael Rathbun via mailop napísal: > They frequently fail the timeout setting on a DNSBL checker tool I > use. Running the tool again pulls the records in cache that arrived > after the timeout. The resolver is a local instance of bind. I use local unbound, and yes i see responses later, but they are mostly response about timeout from my unbound, which comes after my script's DNS timeout, which is shorted. The collected results was done via another forwarding DNS, which forwards to ISP's DNS at my job's server (not mail). But, as i stated, they corresponds with results from my unbound. regards -- Slavko https://www.slavino.sk pgpx0CRKTqWbh.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] sorbs DNS problems
On Fri, 11 Mar 2022 19:54:00 +0100, Slavko via mailop wrote: >Please, encounter someone else this? Are here some problems on their >side? They frequently fail the timeout setting on a DNSBL checker tool I use. Running the tool again pulls the records in cache that arrived after the timeout. The resolver is a local instance of bind. mdr ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] sorbs DNS problems
> I collect related NS records and try to ping them from another IP > (different ISP), to be sure that they are not blocked by me nor by my > ISP, and results corresponds with my experiences: > >ns0.sorbs.net. 113.52.8.11 ping fail >ns2.sorbs.net. 87.106.246.125 ping fail >ns4.sorbs.net. 78.153.202.24 ping OK >ns5.sorbs.net. 72.12.198.241 ping fail >ns1175.dns.dyn.com. 108.59.166.201 ping fail >ns2174.dns.dyn.com. 108.59.168.201 ping fail >ns3179.dns.dyn.com. 108.59.170.201 ping fail >ns4151.dns.dyn.com. 108.59.172.201 ping fail >ns9.sorbs.net. 169.48.121.207 ping OK >rbldns10.sorbs.net. 185.87.186.55 ping OK >rbldns7.sorbs.net. 88.208.216.85 ping fail >rbldns0.sorbs.net. 113.52.8.50 ping fail >rbldns17.sorbs.net. 210.50.3.173 ping fail >rbldns3.sorbs.net. 74.208.146.124 ping fail >rbldns16.sorbs.net. 74.53.186.252 ping fail >rbldns8.sorbs.net. 89.150.195.2 ping fail >rbldns4.sorbs.net. 78.153.202.22 ping OK >rbldns15.sorbs.net. 87.106.246.154 ping fail >rbldns2.sorbs.net. 72.12.198.247 ping OK >rbldns18.sorbs.net. 72.12.198.248 ping OK >rbldns14.sorbs.net. 194.134.35.168 ping fail >rbldns12.sorbs.net. 74.208.146.124 ping fail >rbldns13.sorbs.net. 113.52.8.157 ping fail >rbldns6.sorbs.net. 194.134.35.204 ping fail >rbldns1.sorbs.net. 78.153.202.21 ping OK >rbldns11.sorbs.net. 216.12.212.155 ping fail >rbldns9.sorbs.net. 169.48.121.206 ping OK > > As any can see, some responds, and some not... > > I do not know, if they are not accessible or have ICMP blocked, but i > will expect, that if they block ICMP, they will block all not only some > hosts. Why are you instead not doing a dig against these ips? It's clear you understand that ICMP may be blocked, so why not use a check method that actually uses the protocol you'd use to query them? -Dan ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] sorbs DNS problems
Hi, for relative long time (some weeks) i have troubles with SORBS RBL. I do not use it at MTA nor rspamd level, but only in my script, which i run only manually when i need to inspect some IP status in depth, thus i cannot exceed any limits. But queries to SORBS (concrete to safe.dnsbl.sorbs.net) are sometime success (in mean no timeout), but mostly fails with timeout (message from my script): safe.dnsbl.sorbs.net: The DNS operation timed out after 5.105137348175049 seconds I collect related NS records and try to ping them from another IP (different ISP), to be sure that they are not blocked by me nor by my ISP, and results corresponds with my experiences: ns0.sorbs.net. 113.52.8.11 ping fail ns2.sorbs.net. 87.106.246.125 ping fail ns4.sorbs.net. 78.153.202.24 ping OK ns5.sorbs.net. 72.12.198.241 ping fail ns1175.dns.dyn.com. 108.59.166.201 ping fail ns2174.dns.dyn.com. 108.59.168.201 ping fail ns3179.dns.dyn.com. 108.59.170.201 ping fail ns4151.dns.dyn.com. 108.59.172.201 ping fail ns9.sorbs.net. 169.48.121.207 ping OK rbldns10.sorbs.net. 185.87.186.55 ping OK rbldns7.sorbs.net. 88.208.216.85 ping fail rbldns0.sorbs.net. 113.52.8.50 ping fail rbldns17.sorbs.net. 210.50.3.173 ping fail rbldns3.sorbs.net. 74.208.146.124 ping fail rbldns16.sorbs.net. 74.53.186.252 ping fail rbldns8.sorbs.net. 89.150.195.2 ping fail rbldns4.sorbs.net. 78.153.202.22 ping OK rbldns15.sorbs.net. 87.106.246.154 ping fail rbldns2.sorbs.net. 72.12.198.247 ping OK rbldns18.sorbs.net. 72.12.198.248 ping OK rbldns14.sorbs.net. 194.134.35.168 ping fail rbldns12.sorbs.net. 74.208.146.124 ping fail rbldns13.sorbs.net. 113.52.8.157 ping fail rbldns6.sorbs.net. 194.134.35.204 ping fail rbldns1.sorbs.net. 78.153.202.21 ping OK rbldns11.sorbs.net. 216.12.212.155 ping fail rbldns9.sorbs.net. 169.48.121.206 ping OK As any can see, some responds, and some not... I do not know, if they are not accessible or have ICMP blocked, but i will expect, that if they block ICMP, they will block all not only some hosts. Please, encounter someone else this? Are here some problems on their side? thanks -- Slavko https://www.slavino.sk pgpkXHhusWEoI.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop