Timeout setting

John W. Blue john.blue at rrcic.com
Thu Mar 25 17:21:36 UTC 2021


When I queried the authoritative server directly it worked:

;; QUESTION SECTION:
;111.250.179.17.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
111.250.179.17.in-addr.arpa. 86400 IN	PTR	rn2-msbadger07105.apple.com.

;; Query time: 62 msec
;; SERVER: 17.47.176.10#53(17.47.176.10)

I would recommend that you too do a dig @ and see what you get.

If it works then you can start examining your on prim configs .. if it does not work then you need to be using wireshark to figure out what is happening to the traffic.

Either way you need to first break your troubleshooting into two parts .. on prim vs off prim and proceed from there.

Good hunting.

John

-----Original Message-----
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Julien Salort
Sent: Thursday, March 25, 2021 12:11 PM
To: bind-users at lists.isc.org
Subject: Timeout setting

Hello,


I have a VPS running postfix and bind9. Bind is used as a recursive resolver, in particular to be able to query anti-spam database.

Postfix is also configured to reject incoming connections from servers with no reverse dns.

It works great overall, but sometimes legitimate messages get rejected because the reverse dns query fails.

Here is an example (anonymized email and host address):

In mail.log:

450 4.7.1 Client host rejected: cannot find your reverse hostname, [17.179.250.111]; from=<developer_bounces at insideapple.apple.com>
to=<XXX at example.com> proto=ESMTP helo=<rn2-msbadger07105.apple.com>
(total: 1)

In named journal:

mars 02 01:14:20 example.com named[2756114]: client @0x7f3a0808c750
127.0.0.1#43646 (111.250.179.17.in-addr.arpa): query: 
111.250.179.17.in-addr.arpa IN PTR +E(0) (127.0.0.1)

mars 02 01:14:25 example.com named[2756114]: client @0x7f3a08079d00
127.0.0.1#43646 (111.250.179.17.in-addr.arpa): query: 
111.250.179.17.in-addr.arpa IN PTR +E(0) (127.0.0.1)

mars 02 01:14:32 example.com named[2756114]: client @0x7f3a0808c750
127.0.0.1#43646 (111.250.179.17.in-addr.arpa): query failed (timed out) for 111.250.179.17.in-addr.arpa/IN/PTR at query.c:6883

mars 02 01:14:32 example.com named[2756114]: client @0x7f3a000d5110
127.0.0.1#49520 (insideapple.apple.com): query: insideapple.apple.com IN MX + (127.0.0.1)


So there is a timeout.

Now if I try again:

$ dig -x 17.179.250.111 @localhost +short rn2-msbadger07105.apple.com.


So it seems that it is just that sometimes the query takes a bit longer...


Is there a general advice regarding timeout for bind?

Should I just choose a longer timeout? Or is there a reason for the default value?


I did not have such problems when I was using the ISP dns server instead 
of a local recursive resolver. So I was wondering if the configuration 
is sub-optimal somehow...


Thank you,


Cheers,


Julien


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


More information about the bind-users mailing list