My DNS queries were seem refused

[lowhigh]

Hi everybody!

I'm using Zimbra 8.7.0_GA_1659.RHEL6_64_20160628192545 RHEL6_64 FOSS edition with DNScache for a long time.

But yesterday, i checked log and see that many queries of DNS were seem refused

[root@mail tmp]# cat /etc/resolv.conf
nameserver 127.0.0.1
nameserver 203.162.0.181
nameserver 8.8.8.8

Sep 20 10:57:09 mail amavis[22297]: (22297-02) _WARN: dns: sendto() to [8.8.8.8]:53 failed: Operation not permitted, no more alternatives
Sep 20 10:57:09 mail amavis[22297]: (22297-02) _WARN: dns: sendto() to [8.8.8.8]:53 failed: Operation not permitted, failing over to [203.162.0.181]:53

This make SPF Module tht i have configure check SPF said that:

Recipient address rejected: Failed SPF check; gmail.com ... _netblocks.google.com, Unknown error on DNS 'TXT' lookup of '_netblocks.google.com'; from=........

And now all emails form Gmail cannot reach to user in Zimbra server. This never happen before

Does anyone experience this situation?
Please help me!

[pup_seba]

Never faced that problem, so I'll just brainstorm a little:

- Can you dig it from the server with the problem? Like dig @8.8.8.8 somedomain.com
- Can you dig it from other computers in your organization that share the same public ip address than your server?
- Can you dig for that specific spf (txt) record with your dns servers? and if you use other dns servers instead? Like 'dig @otherdnsserver somedomain.com txt'
- Your log only shows 8.8.8.8 refusing. Does the 203 server also refuses it?
- Maybe a firewall blocking traffic to port 53?
- What's the output of 'zmprov gs `zmhostname` | grep -i dns'
- DNS servers may block or delay your queries if you are producing a lot of them, maybe that's the case? (previous command will help us find out a little bit more)
- Why you have 127.0.0.1 as your first dns server? If it is because you have a dnsmasq or something similar, may I ask why you do that instead of just using the DNS of your organization?

[lowhigh]

Never faced that problem, so I'll just brainstorm a little:

- Can you dig it from the server with the problem? Like dig @8.8.8.8 somedomain.com
- Can you dig it from other computers in your organization that share the same public ip address than your server?
- Can you dig for that specific spf (txt) record with your dns servers? and if you use other dns servers instead? Like 'dig @otherdnsserver somedomain.com txt'
- Your log only shows 8.8.8.8 refusing. Does the 203 server also refuses it?
- Maybe a firewall blocking traffic to port 53?
- What's the output of 'zmprov gs `zmhostname` | grep -i dns'
- DNS servers may block or delay your queries if you are producing a lot of them, maybe that's the case? (previous command will help us find out a little bit more)
- Why you have 127.0.0.1 as your first dns server? If it is because you have a dnsmasq or something similar, may I ask why you do that instead of just using the DNS of your organization?

Thanks pup_seba!

1. When i dig from DNS server 8.8.8.8 or 23.162.0.181, it's ok and the same as another computer
2. dig fo SPF record is also OK from DNS cache, and DNS public
3. 203.16.0.181 also refuse as 8.8.8.8 does
4. Fỉewall open port 53 UPD because dig always successful
5. Some Public server block or delay my queries but i think dnscache reduce these queries rate so much. And now i don't how to quit this situation
6. 127.0.0.1 is the dnscache in Zimbra 8.7

I really need some more advices!

[phoenix]

I don't really understand why you're using three DNS servers in your resolv file, you only need one DNS server in there and it should be a caching DNS server (i.e. dnscache). FWIW, I use a separate (HA/Load Balanced) DNS servers on different servers than the ZCS server, that serves all my LAN DNS requests and that works fine. The reason for using dnscache is to reduce the number of look-ups to the RBL lists, they are free services burt if you abuse them you'll get refused after a certain number of requests (the number of requests depends on the service).

[JDunphy]

Investigate that port 53 TCP is also open for dns queries for larger 512 byte transfers. Note: Given how resolve.conf is queried, you can also list 127.0.0.1 twice. The thought process is that should it time-out, the next query could be immediate if the delay was network related. If you are getting time outs, you should investigate cause however... Because this was about doing a look up for spf records with gmail, here are a few other ideas. IMO, listing a bunch of external resolvers doesn't make a lot of sense unless you have an infrastructure in place where you are forwarding and building a rich local cache for subsequent look ups. If this isn't your environment, comment out those external resolvers to make it easier on yourself.

Note: There was a recent thread on SA "Re: DNS and RBL problems" ... here is one of the comments from Kevin A. McGrail who is leading the SA project.
"I will also mention that if you are using a server such as 8.8.8.8, you MUST change. I found that if you use 8.8.8.8, you cannot even pass a test for spamassassin builds. They are doing some interesting things likely anti-abuse that just screw with things."

But why is 127.0.0.1 failing first?, there could be another explanation relating to perl and Net::DNS module and recursion. I have never seen it but some on SA have reported it as a problem.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7223

Finally, you could do the following from the command line to see if you can grab the spf recursively and all the ip addresses.

Code: Select all

% dig +short +trace TXT gmail.com
 TXT "v=spf1 redirect=_spf.google.com" from server 216.239.32.10 in 62 ms.

% cat > /tmp/j.sh
#!/usr/bin/perl
$domain=shift @ARGV;
@results=getit($domain);


sub getit {
  my $domain=shift;

  my @foo=`nslookup -q=TXT $domain`;
  my @results=();
  foreach (@foo) {
   next if not /$domain\ttext/;
   s/$domain\ttext = "v=spf1//;
   @results=split /\s+/;
   foreach (@results) {
    next if /-all/;
    print "$_\n";
    if (/include:/) {
     s/include://;
     getit($_);
    }
   } 
  } 
}
 ^D
 % chmod 755 /tmp/j.sh
 % /tmp/j.sh _spf.google.com
 

Another idea would be to systematically, verify you can lookup that _spf.google.com from the command line with each resolver.

[lowhigh]

Investigate that port 53 TCP is also open for dns queries for larger 512 byte transfers. Note: Given how resolve.conf is queried, you can also list 127.0.0.1 twice. The thought process is that should it time-out, the next query could be immediate if the delay was network related. If you are getting time outs, you should investigate cause however... Because this was about doing a look up for spf records with gmail, here are a few other ideas. IMO, listing a bunch of external resolvers doesn't make a lot of sense unless you have an infrastructure in place where you are forwarding and building a rich local cache for subsequent look ups. If this isn't your environment, comment out those external resolvers to make it easier on yourself.

Note: There was a recent thread on SA "Re: DNS and RBL problems" ... here is one of the comments from Kevin A. McGrail who is leading the SA project.
"I will also mention that if you are using a server such as 8.8.8.8, you MUST change. I found that if you use 8.8.8.8, you cannot even pass a test for spamassassin builds. They are doing some interesting things likely anti-abuse that just screw with things."

But why is 127.0.0.1 failing first?, there could be another explanation relating to perl and Net::DNS module and recursion. I have never seen it but some on SA have reported it as a problem.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7223

Finally, you could do the following from the command line to see if you can grab the spf recursively and all the ip addresses.

Code: Select all

% dig +short +trace TXT gmail.com
 TXT "v=spf1 redirect=_spf.google.com" from server 216.239.32.10 in 62 ms.

% cat > /tmp/j.sh
#!/usr/bin/perl
$domain=shift @ARGV;
@results=getit($domain);


sub getit {
  my $domain=shift;

  my @foo=`nslookup -q=TXT $domain`;
  my @results=();
  foreach (@foo) {
   next if not /$domain\ttext/;
   s/$domain\ttext = "v=spf1//;
   @results=split /\s+/;
   foreach (@results) {
    next if /-all/;
    print "$_\n";
    if (/include:/) {
     s/include://;
     getit($_);
    }
   } 
  } 
}
 ^D
 % chmod 755 /tmp/j.sh
 % /tmp/j.sh _spf.google.com
 

Another idea would be to systematically, verify you can lookup that _spf.google.com from the command line with each resolver.

Thanks phoenix and JDunphy!

I have removed all DNS public, left DNS cache 127.0.0.1 only in /etc/resolve.conf
And i see the log, it said that:

Sep 20 22:48:25 mail amavis[27644]: (27644-02) _WARN: dns: sendto() to [203.162.0.181]:53 failed: Operation not permitted, no more alternatives
Sep 20 22:48:27 mail postfix/dnsblog[17630]: warning: dnsblog_query: lookup error for DNS query 173.202.69.118.wl.mailspike.net: Host or domain name not found. Name service error for name=173.202.69.118.wl.mailspike.net type=A: Host not found, try again
Sep 20 22:48:27 mail postfix/postscreen[17627]: warning: dnsblog reply timeout 10s for wl.mailspike.net

203.162.0.181 is the default DNS public of my network but in dont put it in /etc/resolve.conf

And sometime i see

Sep 20 22:42:56 mail dccproc[19127]: sendto(dcc3.dcc-servers.net (74.92.232.243,6277)) from *,38363: Operation not permitted
Sep 20 22:42:56 mail dccproc[19127]: sendto(dcc3.dcc-servers.net (212.223.102.90,6277)) from *,49694: Operation not permitted
Sep 20 22:42:56 mail dccproc[19127]: sendto(dcc4.dcc-servers.net (69.12.221.230,6277)) from *,47682: Operation not permitted
Sep 20 22:42:56 mail dccproc[19127]: sendto(dcc4.dcc-servers.net (137.208.8.63,6277)) from *,49845: Operation not permitted
Sep 20 22:42:56 mail dccproc[19127]: sendto(dcc5.dcc-servers.net (136.199.199.160,6277)) from *,46418: Operation not permitted
Sep 20 22:42:56 mail dccproc[19127]: sendto(dcc5.dcc-servers.net (192.84.137.21,6277)) from *,42736: Operation not permitted
Sep 20 22:42:56 mail dccproc[19127]: sendto(@ (127.0.0.1,6277)) from *,33945: Operation not permitted

finally after i change DNS config

dig +short +trace TXT gmail.com

No any result
Run:

/tmp/j.sh _spf.google.com

Result

include:_netblocks.google.com

ip4:35.190.247.0/24
ip4:64.233.160.0/19
ip4:66.102.0.0/20
ip4:66.249.80.0/20
ip4:72.14.192.0/18
ip4:74.125.0.0/16
ip4:108.177.8.0/21
ip4:173.194.0.0/16
ip4:209.85.128.0/17
ip4:216.58.192.0/19
ip4:216.239.32.0/19
~all"
include:_netblocks2.google.com
include:_netblocks3.google.com
~all"

I try send mail from/to Gmail is fine, but active the SPF module in policyd, Zimbra said that:

Sep 20 22:35:10 mail postfix/smtpd[11628]: NOQUEUE: reject: RCPT from mail-ot1-f52.google.com[209.85.210.52]: 450 4.1.8 <xxxx@gm
ail.com>: Sender address rejected: Domain not found; from=<xxxx@gmail.com> to=<info@mydomain> proto=ESMTP helo=<mail-ot1-f52.go
ogle.com>

Certainly, email from Gmail cannot received.

I think this is SA error but i have used SPF and DNS public very well for a long time until 19/09/2018.

Please give me some more clue!

[JDunphy]

A few things.

1) Isn't that whitelist lookup failure because it isn't listed... probably normal.
2) dig failing... Now that is strange... here is what I was expecting.

Code: Select all

mail:~:49> dig +short +trace TXT gmail.com
NS j.root-servers.net. from server 127.0.0.1 in 0 ms.
NS a.root-servers.net. from server 127.0.0.1 in 0 ms.
NS g.root-servers.net. from server 127.0.0.1 in 0 ms.
NS m.root-servers.net. from server 127.0.0.1 in 0 ms.
NS h.root-servers.net. from server 127.0.0.1 in 0 ms.
NS c.root-servers.net. from server 127.0.0.1 in 0 ms.
NS k.root-servers.net. from server 127.0.0.1 in 0 ms.
NS b.root-servers.net. from server 127.0.0.1 in 0 ms.
NS i.root-servers.net. from server 127.0.0.1 in 0 ms.
NS f.root-servers.net. from server 127.0.0.1 in 0 ms.
NS d.root-servers.net. from server 127.0.0.1 in 0 ms.
NS l.root-servers.net. from server 127.0.0.1 in 0 ms.
NS e.root-servers.net. from server 127.0.0.1 in 0 ms.
TXT "v=spf1 redirect=_spf.google.com" from server 216.239.36.10 in 21 ms.

3) not all those spf blocks were displayed.

Code: Select all

/tmp/j.sh _spf.google.com

include:_netblocks.google.com

ip4:35.190.247.0/24
ip4:64.233.160.0/19
ip4:66.102.0.0/20
ip4:66.249.80.0/20
ip4:72.14.192.0/18
ip4:74.125.0.0/16
ip4:108.177.8.0/21
ip4:173.194.0.0/16
ip4:209.85.128.0/17
ip4:216.58.192.0/19
ip4:216.239.32.0/19
~all"
include:_netblocks2.google.com

ip6:2001:4860:4000::/36
ip6:2404:6800:4000::/36
ip6:2607:f8b0:4000::/36
ip6:2800:3f0:4000::/36
ip6:2a00:1450:4000::/36
ip6:2c0f:fb50:4000::/36
~all"
include:_netblocks3.google.com

ip4:172.217.0.0/19
ip4:172.217.32.0/20
ip4:172.217.128.0/19
ip4:172.217.160.0/20
ip4:172.217.192.0/19
ip4:108.177.96.0/19
ip4:35.191.0.0/16
ip4:130.211.0.0/22
~all"
~all"

I don't use the zimbra resolver so can't offer much more in help with what it does or doesn't do. That you got no result with dig is a little odd and worth further investigation of why in addition why you didn't resolve those other google netblocks. Perhaps remove +short and observer how far it is getting with the dig. You might try it with some other domains... yahoo.com, outlook.com, etc. To put some sanity into this, you might try 1.1.1.1 (cloudflare) to see if you get similar results to 127.0.0.1 on your checks.

[phoenix]

Perhaps a follow-up question would be, do you have the settings for dnscache configured correctly (particularl y the DNSMasterIP) as per the wiki article: https://wiki.zimbra.com/wiki/DNS_cachin ... (dnscache)

[lowhigh]

Perhaps a follow-up question would be, do you have the settings for dnscache configured correctly (particularl y the DNSMasterIP) as per the wiki article: https://wiki.zimbra.com/wiki/DNS_cachin ... (dnscache)

Yes phoneix, i have followed this guide step by step and sure that all is correct

zmprov getServer `zmhostname` | grep DNSMasterIP

Result

zimbraDNSMasterIP: 203.162.0.181

And

[zimbra@mail ~]$ zmdnscachectl status
dnscache is running with pid: 7909

But check zimbra.log

Sep 21 08:58:07 mail amavis[27647]: (27647-11) _WARN: dns: sendto() to [203.162.0.181]:53 failed: Operation not permitted, no more alternatives
Sep 21 08:58:07 mail amavis[27647]: (27647-11) _WARN: dns: sendto() to [203.162.0.181]:53 failed: Operation not permitted, no more alternatives
Sep 21 08:58:07 mail amavis[27647]: (27647-11) _WARN: dns: sendto() to [203.162.0.181]:53 failed: Operation not permitted, no more alternatives
Sep 21 08:58:07 mail amavis[27647]: (27647-11) _WARN: dns: sendto() to [203.162.0.181]:53 failed: Operation not permitted, no more alternatives
Sep 21 08:58:08 mail dccproc[16964]: sendto(dcc1.dcc-servers.net (137.208.8.63,6277)) from *,47995: Operation not permitted
Sep 21 08:58:08 mail dccproc[16964]: sendto(dcc2.dcc-servers.net (67.66.138.141,6277)) from *,57262: Operation not permitted
Sep 21 08:58:08 mail dccproc[16964]: sendto(dcc2.dcc-servers.net (209.169.14.26,6277)) from *,39966: Operation not permitted
Sep 21 08:58:08 mail dccproc[16964]: sendto(dcc2.dcc-servers.net (195.20.8.232,6277)) from *,41857: Operation not permitted
Sep 21 08:58:08 mail dccproc[16964]: sendto(dcc2.dcc-servers.net (136.199.199.160,6277)) from *,36134: Operation not permitted
Sep 21 08:58:08 mail dccproc[16964]: sendto(dcc2.dcc-servers.net (192.84.137.21,6277)) from *,41921: Operation not permitted
Sep 21 08:58:08 mail dccproc[16964]: sendto(@ (127.0.0.1,6277)) from *,50455: Operation not permitted
Sep 21 08:58:08 mail postfix/dnsblog[16427]: warning: dnsblog_query: lookup error for DNS query 109.34.244.171.list.dnswl.org: Host or domain name not found. Name service error for name=109.34.244.171.list.dnswl.org type=A: Host not found, try again
Sep 21 08:58:08 mail postfix/postscreen[16425]: warning: dnsblog reply timeout 10s for list.dnswl.org
Sep 21 08:58:12 mail amavis[27647]: (27647-11) SA info: dcc: instead of X-DCC header, dccproc returned 'sendto(dcc1.dcc-servers.net (137.208.8.63,6277)) from *,47995: Operation not permitted'

I think this error related to some permission!

[phoenix]

Who 'owns' the server at the zimbraDNSMasterIP address? Is this under your control? Can you do a DNS lookup using the server? In any case, have you tried changing the zimbraDNSMasterIP to something else such as "1.1.1.1" or one of your choice?