Initial BIND 9.9.2 RPZ xfr (spamhaus) failing with "failed to connect: timed out" ?
sjcarr at gmail.com
Fri Mar 8 01:04:35 UTC 2013
On 8 March 2013 00:49, Vernon Schryver <vjs at rhyolite.com> wrote:
> The RPZ log captures only information about response policy zone
> rewriting. A response policy zone is the same as every other local
> zone, so most problems with the zone itself are logged elsewhere.
> Depending on your ACLs, you can probe a response policy zone with `dig`
> or other tools just as you would any other local zone. Because I
> also have a local policy zone named drop.rpz.spamhaus.org,
> `dig 18.104.22.168.in-addr.arpa.drop.rpz.spamhaus.org`
> gives me an ANSWER section of
> 22.214.171.124.in-addr.arpa.drop.rpz.spamhaus.org. 300 IN CNAME .
> I chose that domain after looking at
> named-compilezone -j -f raw -F text -o- drop.rpz.spamhaus.org drop.rpz.spamhaus.org | head -4
> I would try to diagnose this problem the same as other zone transfer
> problems. If a simple TCP request like
> `dig +vc 126.96.36.199.in-addr.arpa.drop.rpz.spamhaus.org @188.8.131.52`
> fails, then I'd look for the usual TCP problems such as firewalls.
> I'd also check that Spamhaus has authorized the local IP address that
> I'm actually using, perhaps as opposed to the IP address I requested.
> However, in recent days I have seen manual attempts to resolve
> individual zen.spamhaus.org domains time out. There are also a few
> 'timed out' entries in my current xfer log including at 25-Feb-2013 09:11,
> 07-Mar-2013 22:02, 07-Mar-2013 23:17, and 08-Mar-2013 00:17 GMT.
> There are zillions of successful transfers, and the last was at
> 07-Mar-2013 23:11.
I'm having the same issues with zone transfers timing out, but I can
perform queries directly to the RPZ servers, so there is nothing wrong
from the network/firewall side of things.
sjcarr at elmo:~ $ dig +vc 184.108.40.206.in-addr.arpa.drop.rpz.spamhaus.org
; <<>> DiG 9.8.3-P1 <<>> +vc
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13663
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;220.127.116.11.in-addr.arpa.drop.rpz.spamhaus.org. IN A
;; ANSWER SECTION:
18.104.22.168.in-addr.arpa.drop.rpz.spamhaus.org. 0 IN CNAME .
;; Query time: 100 msec
;; SERVER: 22.214.171.124#53(126.96.36.199)
;; WHEN: Fri Mar 8 00:56:46 2013
;; MSG SIZE rcvd: 77
I'm currently in discussion with Spamhaus RPZ team but so far they
can't seem to find any problems on their side.
More information about the bind-users