ORF Forum  >  ORF Technical Support  >  Spamhaus Win 2008 DNS server

Spamhaus Win 2008 DNS server

 
We upgraded our internal DNS servers to Win 2008 this weekend. I've noticed that spamhaus DNS lookups now fail. The message below is what I see in the logs. I've also noticed that an nslookup doesn't return 127.0.0.2 or Non-existent domain, it now returns a valid IP address. Not sure if this is related.

Version: 4.4 REGISTERED
Log Mode: Verbose
Server: ati-ntmail.archtest.com
Source: SMTPSVC-1
Time: 3/7/2011 11:45:30 AM
Class: System Message
Severity: Warning
Actions: (not available)
Filtering Point: Before Arrival
HELO/EHLO Domain: (not available)
Related IP Address: 74.10.7.148
Message ID: (not available)
Email Subject: (not available)
Sender:
Recipient(s):
* <removed>
Message:
DNS error. Test: "DNSBL: SPAMHAUS-ZEN", server: "100.100.100.9", domain: "148.7.10.74.zen.spamhaus.org", record type: A, protocol: UDP. Server response: DNS server or domain failure (SERVFAIL, RCODE 2).


Reply
Aaron Wetherhold (March 7, 2011)
SERVFAIL, RCODE2 simply means "Server failure - The name server was unable to process this query due to a problem with the name server." I'm not sure why Spamhaus does not work while other DNS-based tests work fine (if I understand the issue correctly), it might be an issue on their end, or you violated the free usage terms and they blocked you (http://www.spamhaus.org/organization/dnsblusage.html).

If that does not explain the problem, you might try the following (possible) solutions:

1. EDNS is enabled by default for the first time in 2008 R2. You might try disabling EDNS probes by issuing the following command:

dnscmd /config /EnableEDNSProbes 0

http://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS

http://technet.microsoft.com/en-us/l.../cc787130.aspx

2. Windows Server 2008 DNS may stop processing some TLDs when using root hints, unless the TTL is set suitably high (see http://support.microsoft.com/kb/968372). You should try setting MaxCacheTTL registry value to 2 days or greater as the article suggests to see if that solves the problem.

Please let us know if any of the above has helped.
Reply
Krisztian Fekete (March 8, 2011)
in response to
Digging a bit more, I beleive it is because the new DNS servers are using our comcast cable modem as the default gateway to the internet. We have two gateways, and previously the DNS servers were using the other. I think spamhaus is block all queries from comcast.
Reply
Aaron Wetherhold (March 8, 2011)
That is very easily possible, because ISP DNS servers aggregate traffic from their network, so they are likely to violate the fair use policy and thus get firewalled out.
Reply
Peter Karsai (ORF Team) (March 9, 2011)
in response to
I was sure that was the answer, but when I contacted Spamhaus they told me I was incorrect and they specifically looked up my IP address and said it was not being blocked.

Interestly when I do an NSlookup on spamhaus.org I receive a reply but when I do it on zen.spamhaus.org it fails. I'm still not sure what is going on. I'm going to dig more and if I find an answer I'll post it.
Reply
Aaron Wetherhold (March 9, 2011)
Thanks Aaron, please keep us posted.
Reply
Peter Karsai (ORF Team) (March 10, 2011)
in response to
It was the eDNS that Krisztian mentioned in his post. Turning it off fixed the problem.
Reply
Aaron Wetherhold (March 11, 2011)
Thanks for the feedback, glad to hear it solved the problem :)
Reply
Krisztian Fekete (March 16, 2011)
in response to

1. Your name:

2. Your email address (will not be published):

3. Your comment:

4. Please enter the words below: (must be completed only once)

Post