In article <5du07c8zgu.fsf@attruh.keh.iki.fi>,
Kari Hurtta wrote:

> John Murtari writes in comp.mail.sendmail:
>
> > We're really scratching our heads over this and would
> > welcome any thoughts? Our mail server does a lot of DNS lookups,
> > it uses the DNS server on that machine, but as 'localhost' -- that
> > would not explain the external traffic we see.
>
> Are you forgotten that DNS server do not work on void? For all
> domains which it is not authorative it need ask data from other DNS
> servers.

That would explain DNS *replies* going to the mailserver, but he said
that these were DNS *requests*.

But maybe he's mistaken about that. If he's running ancient BIND 4, or
BIND 8 or 9 with the "query-source port 53" configuration option (which
is not uncommon), DNS queries will be sent with source port 53, so
replies will go to the same port that queries normally go to, and maybe
that's what he's seeing in the router filters.

It would help to see a packet capture of some of these unexpected DNS
packets. We could see whether they're really requests or replies, and
if they're requests then the domains that they're looking up might help
diagnose this.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Kari Hurtta writes:

>
>> We're really scratching our heads over this and would
>> welcome any thoughts? Our mail server does a lot of DNS lookups,
>> it uses the DNS server on that machine, but as 'localhost' -- that
>> would not explain the external traffic we see.
>
> Are you forgotten that DNS server do not work on void? For all
> domains which it is not authorative it need ask data from other DNS
> servers.

Okay guys, thanks a lot. It didn't dawn on me that all the
lookups our mail server needs done would also be coming back on 53.
We are running BIND 9 and the address matches our query-source address.
That explains why email comes to a crawl when we were blocking the
replies and it was waiting for DNS timeouts.

Thanks!

--
John
__________________________________________________ _________________
John Murtari Software Workshop Inc.
jmurtari@following domain 315.635-1968(x-211) "TheBook.Com" (TM)
http://thebook.com/

In article ,
John Murtari wrote:

> Kari Hurtta writes:
>
> >
> >> We're really scratching our heads over this and would
> >> welcome any thoughts? Our mail server does a lot of DNS lookups,
> >> it uses the DNS server on that machine, but as 'localhost' -- that
> >> would not explain the external traffic we see.
> >
> > Are you forgotten that DNS server do not work on void? For all
> > domains which it is not authorative it need ask data from other DNS
> > servers.
>
> Okay guys, thanks a lot. It didn't dawn on me that all the
> lookups our mail server needs done would also be coming back on 53.
> We are running BIND 9 and the address matches our query-source address.
> That explains why email comes to a crawl when we were blocking the
> replies and it was waiting for DNS timeouts.

Why do you have query-source set to port 53? There's no reason for it,
unless the server is behind a firewall that doesn't allow it to send
normal DNS queries out.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***