1

System setup: Linux Red Hat Enterprise Linux ES release 4 (Nahant Update 9), Postfix mail server

I have a user who is trying to send an e-mail. E-Mail on this server has been working for years without any (on-going) problems. Now this user can't e-mail a specific server, and only that server. I have tested my account and can't e-mail the server either.

When I do a dig for the mx record, I get this:

dig -t mx xxxxxxxxx.com
;; Truncated, retrying in TCP mode.
;; connection timed out; no servers could be reached

When I run the same command with +ignore, it works.

I have run this command and it shows my UDP packet sizes:

dig +short rs.dns-oarc.net txt
rst.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net.
"Tested at 2013-06-14 22:41:30 UTC"
"72.51.49.20 sent EDNS buffer size 4096"
"72.51.49.20 DNS reply size limit is at least 3843"

That seems large enough but I don't know.

I added OpenDNS servers to my resolv.host, but it didn't help.

The server is old (circa 2008) and will soon be replaced. I suspect that will fix the problem, but replacement is still two to four weeks away and I'd like to fix it in the meantime.

Postfix gives me this in the maillog for this server:

Jun 14 16:01:35 postfix/smtp[10962]: to=, relay=none, delay=94925, delays=94358/0.03/567/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=xxxxxxx.com type=MX: Host not found, try again)

Not sure if I need to change postfix somehow or named or what.

Thanks bqb

Bumptious Q Bangwhistle
  • 163
  • 1
  • 9
  • 2
    It's awfully hard to troubleshoot without knowing the domain. But it sounds like a broken firewall to me, blocking TCP port 53. – David Schwartz Jun 15 '13 at 01:54
  • 1
    There is a 512 bytes limit to UDP, if it is bigger than that it retries using TCP. Did you trying setting the `bufsize` option in dig - like `dig +bufsize=2048 xxxxx.com` – Daniel t. Jun 15 '13 at 02:08
  • 1
    If you want a definitive diagnosis you'll need to tell us your domain name, but I think David is right: You probably have a firewall that is blocking port 53/TCP (because *someone* set up a firewall without reading [RFC 5966](http://tools.ietf.org/html/rfc5966)...), and your MX record list is probably long enough that it doesn't fit in single UDP packet. – voretaq7 Jun 15 '13 at 04:28
  • @Danielt. - Using +bufsize=2048 worked. How can this be implemented? Thanks – Bumptious Q Bangwhistle Jun 15 '13 at 15:44
  • My net.core.rmem_max is the default value, 131071. – Bumptious Q Bangwhistle Jun 15 '13 at 15:52
  • 1
    In your bind configuration, you will need to put `max-udp-size 2048` or any other size. Follow this SF link - http://serverfault.com/questions/348399/force-forwarder-dns-requests-to-tcp-mode – Daniel t. Jun 16 '13 at 03:49
  • 1
    I got an error when I added max-udp-size to my named.conf, though I did not get an error with edns-udp-size. My bind version is 9.2.4. I checked my local firewall (not the hardware firewall) and only udp was available over port 53. I added TCP and it worked. Thanks for your help. – Bumptious Q Bangwhistle Jun 16 '13 at 21:41

1 Answers1

1

This first error line was warning message.

;; Truncated, retrying in TCP mode.

Nils in his thread on SF: Force forwarder DNS requests to TCP mode give explanation as the following:

The first query goes out in UDP mode, the answer does not fit into UDP (due to the longish list of authoritative NS), then it is retried in TCP mode, delivering the right answer.

The second one was a permanent error that dig can't reach any NS server.

;; connection timed out; no servers could be reached

You can tell dig to advertise a large receive buffer, for example dig +bufsize=2048 xxxxx.com.

Based on your comment, it worked in your case.

Solution

You can try to set parameter edns-udp-size and/or max-udp-size in your named.conf as Alnitak pointed out in his answer.

Also try to check firewall rule to allow TCP packet over port 53. Looks like this is the reason why your dig was timed out in TCP mode.

Community
  • 1
masegaloeh
  • 17,978
  • 9
  • 56
  • 104