I have just upgraded my working email server from Ubuntu 14.04 to 16.04, which caused many issues. One of the issues I couldn't resolve is this: I run a caching bind9 DNS with a pretty standard configuration:
named.conf.options:
acl goodclients {
10.12.0.0/24;
localhost;
localnets;
};
options {
directory "/var/cache/bind";
dnssec-validation auto;
recursion yes;
allow-query { goodclients; };
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
Normal queries work fine with all clients. (all on localhost)
However, if I try to resolve i.e. lux.smtp-out.eu-west-1.amazonses.com
,
I get the correct answer from dig:
; <<>> DiG 9.10.3-P4-Ubuntu <<>> lux.smtp-out.eu-west-1.amazonses.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27309
;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 8, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;lux.smtp-out.eu-west-1.amazonses.com. IN A
;; ANSWER SECTION:
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A 176.32.127.143
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A 176.32.127.142
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A 176.32.127.139
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A 176.32.127.200
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A 176.32.127.136
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A 176.32.127.201
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A 176.32.127.203
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A 176.32.127.205
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A 176.32.127.202
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A 176.32.127.138
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A 176.32.127.137
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A 176.32.127.141
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A 176.32.127.206
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A 176.32.127.204
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A 176.32.127.140
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A 176.32.127.207
;; AUTHORITY SECTION:
amazonses.com. 171390 IN NS pdns4.ultradns.org.
amazonses.com. 171390 IN NS pdns5.ultradns.info.
amazonses.com. 171390 IN NS pdns1.ultradns.net.
amazonses.com. 171390 IN NS pdns6.ultradns.co.uk.
amazonses.com. 171390 IN NS ns1.p31.dynect.net.
amazonses.com. 171390 IN NS ns2.p31.dynect.net.
amazonses.com. 171390 IN NS pdns2.ultradns.net.
amazonses.com. 171390 IN NS pdns3.ultradns.org.
;; Query time: 21 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Nov 23 10:21:22 CET 2016
;; MSG SIZE rcvd: 539
However, from nslookup I get
;; Truncated, retrying in TCP mode.
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find lux.smtp-out.eu-west-1.amazonses.com: REFUSED#
and from host
Host lux.smtp-out.eu-west-1.amazonses.com not found: 5(REFUSED)
More importantly, postfix bounces emails from that address, because it can't resolve the host name.
Here is the bind9 query log:
client 127.0.0.1#39803 (lux.smtp-out.eu-west-1.amazonses.com): query: lux.smtp-out.eu-west-1.amazonses.com IN A +E (127.0.0.1)
client 127.0.0.1#40264 (lux.smtp-out.eu-west-1.amazonses.com): query: lux.smtp-out.eu-west-1.amazonses.com IN A + (127.0.0.1)
The first entry is from the dig query, the second entry from nslookup (same for other clients). The only difference is the E flag for edns0.
What I have tried already:
- purged and reinstalled bind9, I only edited named.conf.options shown above
- disabled firewall with same results
For now, I'm stumped...