Koozali.org: home of the SME Server

DNS/email (CNAME_lookup_failed_temporarily) problems when using OpenDNS

Offline Bozely

  • *
  • 75
  • +0/-0
Currently experiencing a strange issue,

We have used OpenDNS to filter our internet traffic for a few years, but recently we found emails were being deferred and getting stuck in the mail queue before failing several days later, looking through the logs I found the following

Code: [Select]
/var/log/qmail/current
2017-08-17 10:49:18.076598500 starting delivery 109: msg 90967592 to remote aperson@ms17.hinet.net
2017-08-17 10:49:18.076600500 status: local 0/20 remote 1/20
2017-08-17 10:49:38.097636500 delivery 109: deferral: CNAME_lookup_failed_temporarily._(#4.4.3)/
Code: [Select]
/var/log/dnscache/current
2017-08-17 10:50:17.138974500 servfail ms17.hinet.net. input/output error
2017-08-17 10:50:17.139027500 sent 2263 32
2017-08-17 10:50:17.139028500 servfail ms17.hinet.net. input/output error
2017-08-17 10:50:17.139086500 sent 2293 32
2017-08-17 10:50:17.139087500 servfail ms17.hinet.net. input/output error
2017-08-17 10:50:17.139103500 sent 2325 32
2017-08-17 10:50:17.139103500 servfail ms17.hinet.net. input/output error
2017-08-17 10:50:17.139139500 sent 2329 32

As a quick check I updated our name servers to 8.8.8.8 in "configure this server" from the OpenDNS name server [208.67.222.222] and the emails all got delivered when I flushed the mail queue but we are no longer filtering our web traffic making the work around not viable.

When using the https://cachecheck.opendns.com/ both domains resolve (msa.hinet.net and ms17.hinet.net).

The OpenDNS name servers are 208.67.222.222 and/or 208.67.220.220

I tested updating djbdns but this didn't seem to fix the issue

Current dns rpm versions are
Code: [Select]
[root@myserv01 ~]# rpm -qa | grep dns
e-smith-dnscache-2.4.0-1.el6.sme.noarch
e-smith-dynamicdns-yi-2.4.0-1.el6.sme.noarch
e-smith-dynamicdns-dyndns.org-2.4.0-1.el6.sme.noarch
djbdns-1.05-11.el6.sme.x86_64
e-smith-dynamicdns-tzo-2.4.0-1.el6.sme.noarch
e-smith-tinydns-2.4.0-8.el6.sme.noarch
e-smith-dynamicdns-dyndns-2.4.0-1.el6.sme.noarch

My reading has also taken me to these places
Re: Strange DNS issue - can't find some sites
https://forums.contribs.org/index.php/topic,53236.15.html
https://forums.contribs.org/index.php/topic,53236.msg275930.html#msg275930

RE: dnscache and akamai oddness
https://marc.info/?l=djbdns&m=109482686727881&w=2

URIBL.com and Google/opendns
https://forums.contribs.org/index.php/topic,52003.msg265759.html#msg265759

Related Bugs
https://bugs.contribs.org/show_bug.cgi?id=10381

https://bugs.contribs.org/show_bug.cgi?id=10374
https://bugs.contribs.org/show_bug.cgi?id=8362


How to test latest djbdns release
yum update djbdns --enablerepo=smeupdates-testing

But I am yet to find a solution to this problem, any advice would be welcome.

Thanks,
« Last Edit: August 22, 2017, 10:11:20 AM by Bozely »

Offline Bozely

  • *
  • 75
  • +0/-0
Re: DNS/email (CNAME_lookup_failed_temporarily) problems when using OpenDNS
« Reply #1 on: August 22, 2017, 09:46:48 AM »
I was kind of hoping this would resolve itself but no such luck. :-|

I can ping ms17.hinet.net from the SME when using google DNS servers 8.8.8.8

I cannot ping ms17.hinet.net from the SME when using OpenDNS servers 208.67.222.222

OpenDNS tests show they can resolve the domains, why is the SME failing?

guest22


Offline Bozely

  • *
  • 75
  • +0/-0
Re: DNS/email (CNAME_lookup_failed_temporarily) problems when using OpenDNS
« Reply #3 on: August 22, 2017, 04:42:23 PM »
Quote
Maybe related to https://bugs.contribs.org/show_bug.cgi?id=10381

I followed up on this bug and installed as mentioned in my initial post, no dice.

checking hinet.net at http://www.webdnstools.com/dnstools/check-domain-results warns me about a lack of DNS glue which lead me to think bug 8362 could be closer to my particular issue.

I am in the process of testing patches mentioned in https://bugs.contribs.org/show_bug.cgi?id=8362

Will report back if this fixes my particular issue.
« Last Edit: August 22, 2017, 04:45:14 PM by Bozely »

Offline Bozely

  • *
  • 75
  • +0/-0
Re: DNS/email (CNAME_lookup_failed_temporarily) problems when using OpenDNS
« Reply #4 on: August 23, 2017, 12:47:37 PM »
Rather than a lengthy post about my endeavors and reading of the man pages (before mary shoots me down  :lol:) I could do with some assistance moving this along. I'm familiar with patching from a web dev perspective but sme/linux/software patching is a little foreign.

How do I go about applying the patches mentioned in https://bugs.contribs.org/show_bug.cgi?id=8362 ?

It looks as though Jean-Philippe Pialasse has done some great work but I'm unsure where these patch files should go, whether/where I should be dropping them in templates-custom, if so what needs to be expanded etc.

I also noted reference to a "homemadeloop patch" which doesn't seem to be available in the bug but if I know I'm applying the patches correctly I can work with the other solution he posted.

Thanks for any assistance you can offer.
« Last Edit: August 23, 2017, 12:49:41 PM by Bozely »

Offline Bozely

  • *
  • 75
  • +0/-0
Re: DNS/email (CNAME_lookup_failed_temporarily) problems when using OpenDNS
« Reply #5 on: September 19, 2017, 02:59:18 PM »
Just to close this one off,

After testing queries through multiple other DNS servers I could not replicate the issue I was having with OpenDNS and ended up changing DNS servers to SafeDNS temporarily.

I also opened a ticket with OpenDNS and ran their diagnostic tool which they analysed and then proceeded to fix the issue. Unfortunately they didn't provide any further information about the error but it is now resolved.

OpenDNS diagnostic available here at the time of writing

https://support.opendns.com/hc/en-us/articles/227988487-Diagnostic-Tool-Link-and-Instructions

It was a good exercise in log analysis if nothing else...
« Last Edit: September 19, 2017, 03:27:02 PM by Bozely »

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: DNS/email (CNAME_lookup_failed_temporarily) problems when using OpenDNS
« Reply #6 on: September 19, 2017, 03:21:11 PM »
thank you for sharing your experience and giving us feedback

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: DNS/email (CNAME_lookup_failed_temporarily) problems when using OpenDNS
« Reply #7 on: September 19, 2017, 03:43:32 PM »
If you use an external resolver (either google's or opendns's) then you are shortcircuiting djbdns dnscache.forwarder. Hence you can not solve your issues locally and depends on them to fix it for your

This is usually not a good idea to relly on external service :
- here opendns seems struck with the same issue we are trying to fix wiqth the ppinted bug and last release in testing of djbdns
- google's dns is suboptimal for all the intended use of dns, as it might resolve to generik adresse isntead of geolocalized results depending on your server. Yes it does a few geolocalizing but athe result is less effective for you.


I suggest you to try without setting external dns solver and with the new djbdns from the smeupdates-testing repo and report

Offline Bozely

  • *
  • 75
  • +0/-0
Re: DNS/email (CNAME_lookup_failed_temporarily) problems when using OpenDNS
« Reply #8 on: September 19, 2017, 03:52:10 PM »
Thanks for the points,

We need a simple way to filter out undesirable web content without a large admin overhead which is why we are relying on an external dns service. I know there are contribs for this but dns filter services are always going to have an edge with so many users adding to and validating the block lists.

guest22

Re: DNS/email (CNAME_lookup_failed_temporarily) problems when using OpenDNS
« Reply #9 on: September 19, 2017, 10:17:15 PM »
We need a simple way to filter out undesirable web content without a large admin overhead which is why we are relying on an external dns service. I know there are contribs for this but dns filter services are always going to have an edge with so many users adding to and validating the block lists.


Maybe you can re-consider your vision once you re-read the relevant wiki parts and contribs wiki's again. Relying on external DNS services to determine what you can and can not reach is another topic. The M$, Goog* and Appl* services on a huge amount of devices, next to the 'social media' channels make sure you see and get all of it.