0

I have just upgraded my working email server from Ubuntu 14.04 to 16.04, which caused many issues. One of the issues I couldn't resolve is this: I run a caching bind9 DNS with a pretty standard configuration:

named.conf.options:

acl goodclients {
  10.12.0.0/24;
  localhost;
  localnets;
};
options {
  directory "/var/cache/bind";
  dnssec-validation auto;
  recursion yes;
  allow-query { goodclients; };
  auth-nxdomain no;    # conform to RFC1035
  listen-on-v6 { any; };
};

Normal queries work fine with all clients. (all on localhost)

However, if I try to resolve i.e. lux.smtp-out.eu-west-1.amazonses.com, I get the correct answer from dig:

; <<>> DiG 9.10.3-P4-Ubuntu <<>> lux.smtp-out.eu-west-1.amazonses.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27309
;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 8, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;lux.smtp-out.eu-west-1.amazonses.com. IN A

;; ANSWER SECTION:
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A  176.32.127.143
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A  176.32.127.142
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A  176.32.127.139
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A  176.32.127.200
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A  176.32.127.136
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A  176.32.127.201
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A  176.32.127.203
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A  176.32.127.205
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A  176.32.127.202
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A  176.32.127.138
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A  176.32.127.137
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A  176.32.127.141
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A  176.32.127.206
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A  176.32.127.204
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A  176.32.127.140
lux.smtp-out.eu-west-1.amazonses.com. 900 IN A  176.32.127.207

;; AUTHORITY SECTION:
amazonses.com.      171390  IN  NS  pdns4.ultradns.org.
amazonses.com.      171390  IN  NS  pdns5.ultradns.info.
amazonses.com.      171390  IN  NS  pdns1.ultradns.net.
amazonses.com.      171390  IN  NS  pdns6.ultradns.co.uk.
amazonses.com.      171390  IN  NS  ns1.p31.dynect.net.
amazonses.com.      171390  IN  NS  ns2.p31.dynect.net.
amazonses.com.      171390  IN  NS  pdns2.ultradns.net.
amazonses.com.      171390  IN  NS  pdns3.ultradns.org.

;; Query time: 21 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Nov 23 10:21:22 CET 2016
;; MSG SIZE  rcvd: 539

However, from nslookup I get 

;; Truncated, retrying in TCP mode.
Server:     127.0.0.1
Address:    127.0.0.1#53

** server can't find lux.smtp-out.eu-west-1.amazonses.com: REFUSED#

and from host

Host lux.smtp-out.eu-west-1.amazonses.com not found: 5(REFUSED)

More importantly, postfix bounces emails from that address, because it can't resolve the host name.

Here is the bind9 query log:

client 127.0.0.1#39803 (lux.smtp-out.eu-west-1.amazonses.com): query: lux.smtp-out.eu-west-1.amazonses.com IN A +E (127.0.0.1)
client 127.0.0.1#40264 (lux.smtp-out.eu-west-1.amazonses.com): query: lux.smtp-out.eu-west-1.amazonses.com IN A + (127.0.0.1)

The first entry is from the dig query, the second entry from nslookup (same for other clients). The only difference is the E flag for edns0.

What I have tried already:

  • purged and reinstalled bind9, I only edited named.conf.options shown above
  • disabled firewall with same results

For now, I'm stumped...

mattti
  • 51
  • 1
  • 5

1 Answers1

0

Ok, this is embarrassing:

I had dnsmasq installed beside bind (it was deactivated), which apparently got started again after the upgrade to 16.04.

After removing dnsmasq, everything worked again.

Sorry for wasting anybodies time...

mattti
  • 51
  • 1
  • 5