Re: whitelist_from_spf

Alvaro Marín Thu, 14 May 2009 06:44:48 -0700

Hello,

the problem is that from that server, using dig, nslookup, host...etc,
the record is resolved without problems (with TCP):


r...@relay09:~
# dig spf.orange.es
;; Warning: Message parser reports malformed message packet.
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.5.0-P2 <<>> spf.orange.es
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12128
;; flags: qr rd ra; QUERY: 1, ANSWER: 42, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;spf.orange.es.                 IN      A

;; ANSWER SECTION:
spf.orange.es.          1152    IN      A       62.36.20.211
spf.orange.es.          1152    IN      A       62.36.20.212
spf.orange.es.          1152    IN      A       62.36.20.213
spf.orange.es.          1152    IN      A       62.36.20.214
spf.orange.es.          1152    IN      A       62.36.20.215
spf.orange.es.          1152    IN      A       62.36.20.218
spf.orange.es.          1152    IN      A       62.36.20.219
spf.orange.es.          1152    IN      A       62.36.20.220
spf.orange.es.          1152    IN      A       62.36.20.230
spf.orange.es.          1152    IN      A       62.37.225.28
spf.orange.es.          1152    IN      A       62.37.225.29
spf.orange.es.          1152    IN      A       62.37.225.30
spf.orange.es.          1152    IN      A       62.37.236.9
spf.orange.es.          1152    IN      A       62.37.236.12
spf.orange.es.          1152    IN      A       62.37.236.13
spf.orange.es.          1152    IN      A       62.37.236.14
spf.orange.es.          1152    IN      A       62.37.236.60
spf.orange.es.          1152    IN      A       62.37.236.61
spf.orange.es.          1152    IN      A       62.37.236.63
spf.orange.es.          1152    IN      A       62.37.236.64
spf.orange.es.          1152    IN      A       62.37.236.67
spf.orange.es.          1152    IN      A       62.37.236.69
spf.orange.es.          1152    IN      A       62.37.236.82
spf.orange.es.          1152    IN      A       62.37.236.119
spf.orange.es.          1152    IN      A       62.37.236.185
spf.orange.es.          1152    IN      A       62.37.236.186
spf.orange.es.          1152    IN      A       62.37.236.187
spf.orange.es.          1152    IN      A       83.231.36.67
spf.orange.es.          1152    IN      A       62.36.20.139
spf.orange.es.          1152    IN      A       62.36.20.140
spf.orange.es.          1152    IN      A       62.36.20.169
spf.orange.es.          1152    IN      A       62.36.20.170
spf.orange.es.          1152    IN      A       62.36.20.201
spf.orange.es.          1152    IN      A       62.36.20.202
spf.orange.es.          1152    IN      A       62.36.20.203
spf.orange.es.          1152    IN      A       62.36.20.204
spf.orange.es.          1152    IN      A       62.36.20.205
spf.orange.es.          1152    IN      A       62.36.20.206
spf.orange.es.          1152    IN      A       62.36.20.207
spf.orange.es.          1152    IN      A       62.36.20.208
spf.orange.es.          1152    IN      A       62.36.20.209
spf.orange.es.          1152    IN      A       62.36.20.210

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 14 15:38:56 2009
;; MSG SIZE  rcvd: 703

I'll try to debug what is Net::DNS doing...
Thanks.

Matt Kettler escribió:
> Michael Scheidell wrote:
>> my mistake.  seems orange.es is using a HUGE a record list.
>>
>> you might want to check your dns servers.  make sure they can pass dns
>> records in tcp.
>>
>> (if result is 'huge' (> 255 bytes)) dns will NOT use udp port 53, but
>> tcp port 53.
>> do a 'host -t a spf.oriange.es' on the server running spamassassin. 
>> see if you don't get something like this:
>>
>>
>>
>> host -t a spf.orange.es
>> ;; Truncated, retrying in TCP mode.
>> spf.orange.es has address 83.231.36.67
>> spf.orange.es has address 62.36.20.139
>> spf.orange.es has address 62.36.20.140
>> spf.orange.es has address 62.36.20.169
>> spf.orange.es has address 62.36.20.170
>> spf.orange.es has address 62.36.20.201
>> spf.orange.es has address 62.36.20.202
>> spf.orange.es has address 62.36.20.203
>> spf.orange.es has address 62.36.20.204
>> spf.orange.es has address 62.36.20.205
>> spf.orange.es has address 62.36.20.206
>> spf.orange.es has address 62.36.20.207
>> spf.orange.es has address 62.36.20.208
>> spf.orange.es has address 62.36.20.209
>> spf.orange.es has address 62.36.20.210
>> spf.orange.es has address 62.36.20.211
>> spf.orange.es has address 62.36.20.212
>>
> Wow that's ugly. Legitimate, but really ugly.
> 
> Someone needs to better organize their IP space so their smarthosts are
> consecutive. This way they can use CIDR masks and do something like
> 62.36.20.139/28.
> 
> Alvaro, as Michael suggests, you might want to check to see if
> something's filtering your DNS querry packet size. Note that Cisco PIX
> and ASA devices tend to do this by default as part of their inspection
> features.
> 
> Also, make sure your resolving DNS server is allowed to make connections
> to tcp/53 on outside DNS servers... If UDP fails because a value is too
> long, it should switch to TCP. But if there's some egress filtering,
> that mechanism won't work.
> 
> 
> 


-- 
Alvaro Marín Illera
Hostalia Internet
www.hostalia.com

Re: whitelist_from_spf

Reply via email to