Zimbra and DNS queries

**jareep** · 03-10-2008, 03:46 PM

Recently my firewall started crashing due to being overloaded with traffic. It appears that zimbra is spamming DNS requests at an alarming rate (it is accounting for about 95% of my outbound traffic!). I removed all of the zmMtaRestrictions except zimbraMtaRestriction: reject_non_fqdn_sender to see if that would fix it. Still spamming pretty heavily. Any ideas on what to look into as far as what is causing this?

**dwmtractor** · 03-10-2008, 03:54 PM

Zimbra doesn't normally go nuts on DNS queries. Have you tried top from the command line to see what's running? Anything else on the server?

**jhansen** · 03-10-2008, 03:59 PM

Spamassassin is probably the culprit here. SA checks a number of RBLs while scanning messages which can generate 10s of requests per message. You can disable RBL checking by setting 'skip_rbl_checks 1' in '/opt/zimbra/conf/spamassassin/local.cf'. Restart zimbra/mta server after making the change.

Note, that upgrades etc will probably overwrite that file.

**dwmtractor** · 03-10-2008, 04:04 PM

Originally Posted by jhansen

Spamassassin is probably the culprit here. SA checks a number of RBLs while scanning messages which can generate 10s of requests per message. You can disable RBL checking by setting 'skip_rbl_checks 1' in '/opt/zimbra/conf/spamassassin/local.cf'. Restart zimbra/mta server after making the change.

You can do this, but you might find that your overloaded firewall is replaced by mailboxes overloaded with spam. . .unless you are serving a truly huge number of both users and messages, Zimbra shouldn't be producing enough DNS queries to bring a firewall to its knees. . .if it is, we're looking at serious buggage.

Go ahead and disable RBL checks if you like (actually, most of those are configured by zmprov rather than in Spamassassin), and see if that remedies the problem, but if it does please post the details as we need to report the bug.

**dwmtractor** · 03-10-2008, 04:09 PM

Further simple checks:

Stop Zimbra (zmcontrol - stop)
Check your firewall--is it still getting spammed with DNS queries? If yes, what else is on your server? Kill it and/or reboot the server
If the spam stopped, Restart Zimbra
Check your firewall again. Did the DNS spam restart?

**jareep** · 03-10-2008, 04:59 PM

Originally Posted by dwmtractor

Further simple checks:

Stop Zimbra (zmcontrol - stop)
Check your firewall--is it still getting spammed with DNS queries? If yes, what else is on your server? Kill it and/or reboot the server
If the spam stopped, Restart Zimbra
Check your firewall again. Did the DNS spam restart?

Stopping zimbra did not stop the spam, which means it is something else.

Back to the drawing board....anyone a linux guru enough to be able to tell which process is sending the DNS queries?

**Bill Brock** · 03-10-2008, 06:48 PM

I assume it's not the Linux firewall or is it. If it's a firewall appliance, like a router, is there other PC's behind this firewall?

**jareep** · 03-10-2008, 10:02 PM

Originally Posted by Bill Brock

I assume it's not the Linux firewall or is it. If it's a firewall appliance, like a router, is there other PC's behind this firewall?

Its a Netscreen Firewall appliance with no PC's behind it. There are 8 linux servers behind the firewall and that is it. The mail server is the only one sending out the DNS requests.

**jareep** · 03-10-2008, 10:35 PM

Here is a line from the zimbra.log file that shows the rejection:
Mar 11 01:08:42 localhost postfix/smtpd[11306]: connect from investsberbank.nsk.su[212.20.25.17]
Mar 11 01:08:43 localhost postfix/smtpd[11306]: NOQUEUE: reject: RCPT from investsberbank.nsk.su[212.20.25.17]: 550 5.1.1 <cldnbn@learningconcepts.org>: Recipient address rejected: learningconcepts.org; from=<everett@four-soft.com> to=<cldnbn@learningconcepts.org> proto=ESMTP helo=<investsberbank.nsk.su>
Mar 11 01:08:43 localhost postfix/smtpd[11306]: lost connection after DATA from investsberbank.nsk.su[212.20.25.17]
Mar 11 01:08:43 localhost postfix/smtpd[11306]: disconnect from investsberbank.nsk.su[212.20.25.17]

Using 'tcpdump port 53', it seems I get a DNS request for each of the rejection messages in the zimbra.log file. I did the spamassassin skip_rbl_checks and restarted and it made no difference. DNS requests still pretty heavy.

**jareep** · 03-10-2008, 10:36 PM

Here are a few lines from the tcpdump port 53 command:

01:35:57.577240 IP dns0.mtu.ru.domain > mail02.learningfocused.com.33079: 31504* 1/2/2 A dns1.mtu.ru (105)
01:35:57.704168 IP dns1.mtu.ru.domain > mail02.learningfocused.com.33079: 38947* 0/1/1 (87)
01:35:59.245742 IP mail02.learningfocused.com.33079 > ns2.ripn.net.domain: 32046 A6? dns1.mtu.ru. (29)
01:35:59.401716 IP ns2.ripn.net.domain > mail02.learningfocused.com.33079: 32046- 0/2/2 (94)
01:35:59.402051 IP mail02.learningfocused.com.33079 > dns1.mtu.ru.domain: 47916% [1au] A6? dns1.mtu.ru. (40)
01:35:59.578740 IP dns1.mtu.ru.domain > mail02.learningfocused.com.33079: 47916* 0/1/1 (92)
01:35:59.579097 IP mail02.learningfocused.com.33079 > dns1.mtu.ru.domain: 60627% [1au] AAAA? dns1.mtu.ru. (40)
01:35:59.755767 IP dns1.mtu.ru.domain > mail02.learningfocused.com.33079: 60627* 0/1/1 (92)

Zimbra

Thread: Zimbra and DNS queries

LinkBack

Thread Tools

Search Thread

Display

Zimbra and DNS queries

Thread Information

Users Browsing this Thread

Similar Threads

How to install Zimbra Debian 3.1 binaries on Debian Etch 4.0 [Workaround]

[SOLVED] Error Installing Zimbra on RHEL 5

Problem - Queue report unavailable - mail system is down

Installation succesfful! But problem with zmcontrol start

Zimbra server crashed

Posting Permissions