T_ANY

Lightner, Jeff jlightner at water.com
Fri Mar 19 20:30:50 UTC 2010 

Maybe it's a difference between udp and tcp in your firewall?  

For most queries udp 53 is used but for long packets it might switch to
tcp 53 - since you're doing an any you're going to get a lot more data.


-----Original Message-----
From: bind-users-bounces+jlightner=water.com at lists.isc.org
[mailto:bind-users-bounces+jlightner=water.com at lists.isc.org] On Behalf
Of Glenn English
Sent: Friday, March 19, 2010 4:13 PM
To: bind-users at lists.isc.org
Subject: T_ANY

I posted this to the postfix users list:

One of my users had problems receiving from Yahoo a couple days ago. The
sender (in FLA) got this:

>> From: "MAILER-DAEMON at yahoo.com" <MAILER-DAEMON at yahoo.com>
>> To: xxxxx at yahoo.com
>> Sent: Sun, March 7, 2010 5:51:09 PM
>> Subject: failure notice
>> 
>> Hi. This is the qmail-send program at yahoo.com.
>> I'm afraid I wasn't able to deliver your message to the following
addresses.
>> This is a permanent error; I've given up. Sorry it didn't work out.
>> 
>> <xxxxx at slsware.com>:
>> CNAME lookup failed temporarily. (#4.4.3)
>> I'm not going to try again; this message has been in the queue too
long.

I got responses saying that the problem was that my DNS ignores 

'dig @ns1.slsware.com -t any slsware.com' (or 'dig +trace -t any
slsware.com')

and indeed it does, from outside. From inside it's fine, and '-t MX'
works from anywhere. Yahoo's MTA (qmail) does T_ANY lookups, so it
thinks there's nobody home at my nameserver. But I can't get anybody
over on the postfix list to suggest what might be wrong. I spent the
morning with google, and couldn't find anything that looked like it
might be the answer.

The obvious answer is firewalling, but I don't think that's it. A query
from inside goes through the same PIX firewall as would a query from
outside; the pix is configured "no fixup protocol dns"; I don't think
IOS in the router knows anything about what type of DNS query is coming
in; and the same query to the other nameserver ('dig
@ns1.richeyrentals.com -t any slsware.com') also fails. That one's also
behind a PIX, but has a non-IOS router.

Both servers are Debian lenny, 'named -v' says BIND 9.5.1-P3, and bind's
config check says it's OK. But it has nothing to do with any of that, I
think, because the query works from inside.

Any ideas?
 
-- 
Glenn English
ghe at slsware.com



_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------

More information about the bind-users mailing list