You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2022/12/02 13:04:40 UTC

RBL timeouts

Hi,

Is anyone (everyone?) also experiencing DNS timeouts with barracuda?

02-Dec-2022 07:03:02.229 query-errors: client @0x7fd19d26c968
127.0.0.1#37098 (168.22.111.13.bb.barracudacentral.org): query failed
(timed out) for 168.22.111.13.bb.barracudacentral.org/IN/A at
../../../lib/ns/query.c:7729
02-Dec-2022 07:03:21.458 lame-servers: SERVFAIL unexpected RCODE resolving '
216.209.245.104.bb.barracudacentral.org/A/IN': 3.13.7.254#53

I'm also seeing a few timeouts from mcafee:

24-Nov-2022 16:12:37.151 query-errors: client @0x7fd19f7a4f68
127.0.0.1#47466 (17.31.10.37.cidr.bl.mcafee.com): query failed (timed out)
for 17.31.10.37.cidr.bl.mcafee.com/IN/A at ../../../lib/ns/query.c:7729

I don't necessarily think there's something wrong with my nameservers - I'm
more just surprised that such high-profile companies are having problems
and wanted to confirm.

Any bind experts know of a way to record which nameserver is timing out so
I can perhaps exclude them? Any idea why it wouldn't just rotate to the
next one, or even how to confirm whether it's doing that?

Re: RBL timeouts

Posted by Benny Pedersen <me...@junc.eu>.

Alex skrev den 2022-12-02 14:04:

> Any bind experts know of a way to record which nameserver is timing
> out so I can perhaps exclude them? Any idea why it wouldn't just
> rotate to the next one, or even how to confirm whether it's doing
> that?

you are using

1: rbls not default in spamassassin
2: not checking 2nd hand sites if the ips are listed

remove dead rpbls in spamassassin, problem solved

> Links:
> ------
> [1] http://168.22.111.13.bb.barracudacentral.org
> [2] http://168.22.111.13.bb.barracudacentral.org/IN/A
> [3] http://216.209.245.104.bb.barracudacentral.org/A/IN
> [4] http://17.31.10.37.cidr.bl.mcafee.com
> [5] http://17.31.10.37.cidr.bl.mcafee.com/IN/A

https://multirbl.valli.org/lookup/13.111.22.168.html
https://multirbl.valli.org/lookup/216.209.245.104.html
https://multirbl.valli.org/lookup/37.10.31.17.html

seems ok, remove cidr.bl.mcafee.com or convence multirbl to add it :=)

Re: RBL timeouts

Posted by Bill Cole <sa...@billmail.scconsult.com>.

On 2022-12-02 at 08:04:40 UTC-0500 (Fri, 2 Dec 2022 08:04:40 -0500)
Alex <my...@gmail.com>
is rumored to have said:

> Hi,
>
> Is anyone (everyone?) also experiencing DNS timeouts with barracuda?

Chonically, for years, until I gave up on them. Not worthy of production 
use.

> 02-Dec-2022 07:03:02.229 query-errors: client @0x7fd19d26c968
> 127.0.0.1#37098 (168.22.111.13.bb.barracudacentral.org): query failed
> (timed out) for 168.22.111.13.bb.barracudacentral.org/IN/A at
> ../../../lib/ns/query.c:7729
> 02-Dec-2022 07:03:21.458 lame-servers: SERVFAIL unexpected RCODE 
> resolving '
> 216.209.245.104.bb.barracudacentral.org/A/IN': 3.13.7.254#53

But that is NOT a timeout. SERVFAIL is an explicit affirmative reply 
that the answering server cannot give any valid answer to the query.

> I'm also seeing a few timeouts from mcafee:
>
> 24-Nov-2022 16:12:37.151 query-errors: client @0x7fd19f7a4f68
> 127.0.0.1#47466 (17.31.10.37.cidr.bl.mcafee.com): query failed (timed 
> out)
> for 17.31.10.37.cidr.bl.mcafee.com/IN/A at 
> ../../../lib/ns/query.c:7729
>
> I don't necessarily think there's something wrong with my nameservers 
> - I'm
> more just surprised that such high-profile companies are having 
> problems
> and wanted to confirm.

Big companies have big problems. High-profile companies have 
high-profile problems.

> Any bind experts know of a way to record which nameserver is timing 
> out so
> I can perhaps exclude them? Any idea why it wouldn't just rotate to 
> the
> next one, or even how to confirm whether it's doing that?

The SERVFAIL errors are very likely immune to any workaround attempt.
The timeouts should already be handled as best they can be by BIND & the 
system resolver, given reasonable query timeout and retry values, such 
as OS defaults. Note that it may not make sense for a resolver to allow 
slow DNSBL lookups to block a message transaction from proceeding.

It is unlikely that you can tune BIND and/or your system resolver to 
reduce timeouts in any meaningful ways. The exception to that would be 
if your system is generally overloaded and BIND is just not getting the 
resources (cpu and memory) it needs to operate fast. You would likely 
notice that sort of overload.



-- 
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire