DNS behaviour and Postfix with relays.ordb.org

beerfest · 01-30-2008, 08:27 AM

Hi folks,
Hoping someone can help me with information I'm seeing in a DNS log.
I've been trying to track down an "Unexpected RCODE (SERVFAIL)" error that I've been getting in /var/log/messages

I'm running Fedora Core 6.
I've switched BIND9 to log debug info to /var/named/chroot/var.log/named.log

I also have Postfix running on the server and all seems to be fine.
In main.cf I have the following spam control measures:-

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_rhsbl_client blackhole.securitysage.com,
reject_rhsbl_sender blackhole.securitysage.com,
reject_rbl_client zen.spamhaus.org,
check_recipient_access hash:/etc/postfix/recipient_access

So I expect a chunk of Spam e-mails to be blocked.

However, I'm looking at my DNS logs and there's a lot of mentions to relays.ordb.org in there, one every few seconds. Here's some of the log:-
30-Jan-2008 14:10:21.890 resolver: debug 1: createfetch: 105.70.98.84.relays.ordb.org A
30-Jan-2008 14:10:24.599 resolver: debug 1: createfetch: 126.92.194.77.relays.ordb.org A
30-Jan-2008 14:10:27.966 resolver: debug 1: createfetch: 105.70.98.84.relays.ordb.org A
30-Jan-2008 14:10:29.619 resolver: debug 1: createfetch: 126.92.194.77.relays.ordb.org A
30-Jan-2008 14:10:34.859 resolver: debug 1: createfetch: 126.92.194.77.relays.ordb.org A
30-Jan-2008 14:10:35.668 resolver: debug 1: createfetch: 105.70.98.84.relays.ordb.org A
30-Jan-2008 14:10:39.876 resolver: debug 1: createfetch: 126.92.194.77.list.dsbl.org A
30-Jan-2008 14:10:39.914 resolver: debug 1: createfetch: 126.92.194.77.zen.spamhaus.org A
30-Jan-2008 14:10:40.684 resolver: debug 1: createfetch: 105.70.98.84.list.dsbl.org A
30-Jan-2008 14:10:40.722 resolver: debug 1: createfetch: 105.70.98.84.zen.spamhaus.org A

From what I've read relays.ordb.org went offline in Dec 06 and I have no reference to it in Postfix so why doe it appear in my DNS logs?

beerfest · 01-31-2008, 09:26 AM

Just adding to this thread.
I have resolved the problem and tracked down the info appearing in the DNS logs.

Turns out someone had configured one of our older DNS servers to point at my problem DNS server via the resolv.conf file. That coupled with the other server running sendmail which was configures to use relays.ordb.org.
So the sendmail on the other server was receiving e-mails and trying to lookup relays.ordb.org and failing and passing the lookup onto my problem DNS server.

Tracked down the problem using "ngrep port 53". What a great tool that is for monitoring and filtering network traffic.