Initial BIND 9.9.2 RPZ xfr (spamhaus) failing with "failed to connect: timed out" ?
Emanuele Balla (aka Skull)
skull at bofhland.org
Fri Mar 8 07:51:25 UTC 2013
On 3/8/13 2:04 AM, Steven Carr wrote:
> I'm having the same issues with zone transfers timing out, but I can
> perform queries directly to the RPZ servers, so there is nothing wrong
> from the network/firewall side of things.
> sjcarr at elmo:~ $ dig +vc 18.104.22.168.in-addr.arpa.drop.rpz.spamhaus.org
> ; <<>> DiG 9.8.3-P1 <<>> +vc
> 22.214.171.124.in-addr.arpa.drop.rpz.spamhaus.org @126.96.36.199
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13663
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
> ;; QUESTION SECTION:
> ;188.8.131.52.in-addr.arpa.drop.rpz.spamhaus.org. IN A
> ;; ANSWER SECTION:
> 184.108.40.206.in-addr.arpa.drop.rpz.spamhaus.org. 0 IN CNAME .
> ;; Query time: 100 msec
> ;; SERVER: 220.127.116.11#53(18.104.22.168)
> ;; WHEN: Fri Mar 8 00:56:46 2013
> ;; MSG SIZE rcvd: 77
This shows you're at least allowed to contact their server on TCP.
What do you see if you run the axfr query manually *and* run a packet
capture for it?
Does the TCP handshake happen or not?
If yes, maybe the problem could be caused by an MTU blackhole along the
path, or something similar...
More information about the bind-users