You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by email builder <em...@yahoo.com> on 2005/08/18 01:45:03 UTC
Help with RR DNS for spamd?
All,
I recognize this is a bit OT, but not sure where to turn...?
I am trying to use DNS to load balance a couple spamd servers. I am
attempting to return more than one A record for spam.mydomain.com, and I am
getting a correct dig, but just a test telnet is returning "Unknown host".
What am I doing wrong?
Few more details:
DNS hosted on a separate machine, say dns.mydomain.com. Our SMTP server is
where the spamc calls out to spamd, and that machine's /etc/resolve has the
dns machine's hostname as the first nameserver entry. From the SMTP machine,
I do "dig spam.mydomain.com" and I get my desired results:
;; ANSWER SECTION:
spam.mydomain.com. 259200 IN A 10.10.10.105
spam.mydomain.com. 259200 IN A 10.10.10.106
I was pretty excited when I got that far, but then the next step - to try
to manually connect to one of the spamd daemons listening on those 10.
addresses - failed miserably:
# telnet spam.mydomain.com 2009
telnet: spam.mydomain.com: Name or service not known
spam.mydomain.com: Unknown host
#
(the port number above is what spamd is configured to listen on)
Seems like the DNS server is not the problem, but FWIW, the zone file for
mydomain.com has these entries:
spam A 10.10.10.105
spam A 10.10.10.106
Help?!??!
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
RE: Help with RR DNS for spamd?
Posted by email builder <em...@yahoo.com>.
> > > You cannot depend on "first DNS" setting on a client -- most DNS
> > > clients may try ANY of the one's listed -- Windows clients for
> > > instance certainly work this way.
> >
> > OK, fair enough (although from my experience, dig always
> > seems to take the first one it finds that works). So I took
> > all other entries out of /etc/resolve.conf on the SMTP(spamc)
>
> Dig has/is it's own resolver if I recall correctly.
>
> > Linux telnet has this kind of thing? Where is it?? I
> > thought that is what /etc/resolve.conf is.
>
> Telnet uses the built-in resolver -- most ordinary
> applications work this way.
Hrm. Any tips on how to make it aware of my new "spam." subdomain?
> > > You should generally point clients to ONE CONSISTENT (set of) DNS
> > > servers which return all the correct answers the client
> > > will ever need. If the DNS server (set) doesn't know the
> > > answer it must forward or recurse to find it.
> >
> > Well, since the ultimate client will be spamc, what does spamc use?
> > Something other than /etc/resolve.conf?
>
> Most (almost all) regular applications use the built-in
> resolver but IIRC SpamC has this as a configuartion/
> environemnt setting so it (this is true for SpamAssassin
> and Net::DNS actually) might be using a different setting
> for DNS than the computer as a whole.
OK, so instead of mucking around with telnet, I tried it with spamc, but no
dice. Maillog shows:
Aug 17 18:35:40 gaia spamc[27064]: gethostbyname(spam.mydomain.com) failed:
h_errno=1
Aug 17 18:35:40 gaia spamc[27097]: gethostbyname(spam.mydomain.com) failed:
h_errno=1
Aug 17 18:35:41 gaia spamc[27143]: gethostbyname(spam.mydomain.com) failed:
h_errno=1
Aug 17 18:35:41 gaia spamc[27144]: gethostbyname(spam.mydomain.com) failed:
h_errno=1
... and so on...
Thanks so much!
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
RE: Help with RR DNS for spamd?
Posted by Herb Martin <He...@learnquick.com>.
> > You cannot depend on "first DNS" setting on a client -- most DNS
> > clients may try ANY of the one's listed -- Windows clients for
> > instance certainly work this way.
>
> OK, fair enough (although from my experience, dig always
> seems to take the first one it finds that works). So I took
> all other entries out of /etc/resolve.conf on the SMTP(spamc)
Dig has/is it's own resolver if I recall correctly.
> Linux telnet has this kind of thing? Where is it?? I
> thought that is what /etc/resolve.conf is.
Telnet uses the built-in resolver -- most ordinary
applications work this way.
> > You should generally point clients to ONE CONSISTENT (set of) DNS
> > servers which return all the correct answers the client
> > will ever need. If the DNS server (set) doesn't know the
> > answer it must forward or recurse to find it.
>
> Well, since the ultimate client will be spamc, what does spamc use?
> Something other than /etc/resolve.conf?
Most (almost all) regular applications use the built-in
resolver but IIRC SpamC has this as a configuartion/
environemnt setting so it (this is true for SpamAssassin
and Net::DNS actually) might be using a different setting
for DNS than the computer as a whole.
> Also, will my local IP addresses in my zone file get
> propagated to other DNS servers? (If what you say about
> consistency is important, and I put more than one nameserver
> in /etc/resolve.conf, I will want to make sure they propagate
> to the other DNS servers).
It will propagate to all Secondary DNS servers that hold that
SAME zone (notice that a Secondary DNS server is only Secondary
for one zone at a time -- it might be Primary for other zones,
and of course doesn't hold every possible zone.)
So if your zone is mydomain.com with spam.mydomain.com being a
resource record in that zone, then every DNS server that holds
mydomain.com (i.e., is authoritative for mydomain.com) will
have that record replicated to it (if everything is working
reasonable ok.)
--
Herb Martin
RE: Help with RR DNS for spamd?
Posted by email builder <em...@yahoo.com>.
> > I recognize this is a bit OT, but not sure where to turn...?
> >
> > I am trying to use DNS to load balance a couple spamd
> > servers. I am attempting to return more than one A record
> > for spam.mydomain.com, and I am getting a correct dig, but
> > just a test telnet is returning "Unknown host".
> >
> > What am I doing wrong?
>
> If it only lasts 5 minutes (or less) then your previous
> (before creating the records) would typically be cache
> by a modern Windows CLIENT. While DNS has long been
> cached at the server, Microsoft started caching at the
> client (by default) in Win2000.
This is all being done in linux, no Windoze involved, thank god. Anyway, the
problem has lasted much longer than 5 minutes. :)
> > Few more details:
> >
> > DNS hosted on a separate machine, say dns.mydomain.com.
>
> Separate machines? Do you mean different DNS servers or
> just separate from the SMTP/spamd machine?
Just that Bind is running on a different machine than is SMTP and spamc.
They are both on the same local network.
> If your spam.mydomain.com is not on the same machine as
> the mydomain.com zone then you would (likely) need to
> delegate (but that doesn't seem to be your issue.)
Not sure I follow, but just to clarify a bit, the spamd, SMTP(spamc) and DNS
machines are all separate machines but in the same local network. I don't
even think it matters how/if/what/why about the connection to the outside
Internet since I am just trying to resolve locally.
> > Our SMTP server is where the spamc calls out to spamd, and
> > that machine's /etc/resolve has the dns machine's hostname as
> > the first nameserver entry. From the SMTP machine, I do "dig
> > spam.mydomain.com" and I get my desired results:
>
> You cannot depend on "first DNS" setting on a client -- most
> DNS clients may try ANY of the one's listed -- Windows clients
> for instance certainly work this way.
OK, fair enough (although from my experience, dig always seems to take the
first one it finds that works). So I took all other entries out of
/etc/resolve.conf on the SMTP(spamc) machine, but still getting the same
results: dig works great, but telnet bails. Again, I am using telnet from a
linux command prompt on the SMTP box -- is there a telnet host cache for
linux??
> A DNS client typically expects EVERY DNS Server to return the
> SAME answers (although a resolver/OS could be constructed to
> "keep trying" this is not typical.)
>
> > ;; ANSWER SECTION:
> > spam.mydomain.com. 259200 IN A 10.10.10.105
> > spam.mydomain.com. 259200 IN A 10.10.10.106
> >
> > I was pretty excited when I got that far, but then the next
> > step - to try to manually connect to one of the spamd daemons
> > listening on those 10.
> > addresses - failed miserably:
> >
> > # telnet spam.mydomain.com 2009
> > telnet: spam.mydomain.com: Name or service not known
> > spam.mydomain.com: Unknown host
> > #
> >
> > (the port number above is what spamd is configured to listen on)
>
> Likely you have more than one DNS server listed on the "telnet
> client" and the client resolver is using the "wrong" one.
Linux telnet has this kind of thing? Where is it?? I thought that is what
/etc/resolve.conf is.
> You should generally point clients to ONE CONSISTENT (set of)
> DNS servers which return all the correct answers the client
> will ever need. If the DNS server (set) doesn't know the
> answer it must forward or recurse to find it.
Well, since the ultimate client will be spamc, what does spamc use?
Something other than /etc/resolve.conf?
Also, will my local IP addresses in my zone file get propagated to other DNS
servers? (If what you say about consistency is important, and I put more
than one nameserver in /etc/resolve.conf, I will want to make sure they
propagate to the other DNS servers).
Thanks, Herb.
> > Seems like the DNS server is not the problem, but FWIW, the
> > zone file for mydomain.com has these entries:
> >
> > spam A 10.10.10.105
> > spam A 10.10.10.106
>
> --
> Herb Martin
>
>
>
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
RE: Help with RR DNS for spamd?
Posted by Herb Martin <He...@learnquick.com>.
> From: email builder [mailto:emailbuilder88@yahoo.com]
> All,
>
> I recognize this is a bit OT, but not sure where to turn...?
>
> I am trying to use DNS to load balance a couple spamd
> servers. I am attempting to return more than one A record
> for spam.mydomain.com, and I am getting a correct dig, but
> just a test telnet is returning "Unknown host".
>
> What am I doing wrong?
If it only lasts 5 minutes (or less) then your previous
(before creating the records) would typically be cache
by a modern Windows CLIENT. While DNS has long been
cached at the server, Microsoft started caching at the
client (by default) in Win2000.
> Few more details:
>
> DNS hosted on a separate machine, say dns.mydomain.com.
Separate machines? Do you mean different DNS servers or
just separate from the SMTP/spamd machine?
If your spam.mydomain.com is not on the same machine as
the mydomain.com zone then you would (likely) need to
delegate (but that doesn't seem to be your issue.)
> Our SMTP server is where the spamc calls out to spamd, and
> that machine's /etc/resolve has the dns machine's hostname as
> the first nameserver entry. From the SMTP machine, I do "dig
> spam.mydomain.com" and I get my desired results:
You cannot depend on "first DNS" setting on a client -- most
DNS clients may try ANY of the one's listed -- Windows clients
for instance certainly work this way.
A DNS client typically expects EVERY DNS Server to return the
SAME answers (although a resolver/OS could be constructed to
"keep trying" this is not typical.)
> ;; ANSWER SECTION:
> spam.mydomain.com. 259200 IN A 10.10.10.105
> spam.mydomain.com. 259200 IN A 10.10.10.106
>
> I was pretty excited when I got that far, but then the next
> step - to try to manually connect to one of the spamd daemons
> listening on those 10.
> addresses - failed miserably:
>
> # telnet spam.mydomain.com 2009
> telnet: spam.mydomain.com: Name or service not known
> spam.mydomain.com: Unknown host
> #
>
> (the port number above is what spamd is configured to listen on)
Likely you have more than one DNS server listed on the "telnet
client" and the client resolver is using the "wrong" one.
You should generally point clients to ONE CONSISTENT (set of)
DNS servers which return all the correct answers the client
will ever need. If the DNS server (set) doesn't know the
answer it must forward or recurse to find it.
> Seems like the DNS server is not the problem, but FWIW, the
> zone file for mydomain.com has these entries:
>
> spam A 10.10.10.105
> spam A 10.10.10.106
--
Herb Martin