<div dir="ltr"><div class="gmail_default"><div class="gmail_default" style="font-size:small;color:rgb(34,34,34);font-family:arial,sans-serif;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">We run a robust carrier-grade e-mail service in the cloud and have a dedicated DNS infrastructure that has undergone extensive tuning to work in AWS, see </div><div class="gmail_default" style="font-size:small;color:rgb(34,34,34);font-family:arial,sans-serif;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div class="gmail_default" style="font-size:small;color:rgb(34,34,34);font-family:arial,sans-serif;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">  <a href="https://www.sparkpost.com/blog/undocumented-limit-dns-aws/" style="color:rgb(17,85,204)" target="_blank">https://www.sparkpost.com/bl<wbr>og/undocumented-limit-dns-aws/</a></div><div class="gmail_default" style="font-size:small;color:rgb(34,34,34);font-family:arial,sans-serif;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">  <a href="https://www.sparkpost.com/blog/dns-aws-network-lessons/">https://www.sparkpost.com/blog/dns-aws-network-lessons/</a></div><div class="gmail_default" style="text-align:start;text-indent:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">  <a href="https://www.usenix.org/sites/default/files/conference/protected-files/srecon18americas_slides_blosser.pdf">https://www.usenix.org/sites/default/files/conference/protected-files/srecon18americas_slides_blosser.pdf</a></div><div class="gmail_default" style="font-size:small;color:rgb(34,34,34);font-family:arial,sans-serif;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div class="gmail_default" style="font-size:small;color:rgb(34,34,34);font-family:arial,sans-serif;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">We occasionally have issues where we are unable to perform MX lookups for what appears to be a perfectly valid domain.  I tracked down one such incident yesterday and in this case the authoritative name servers for the domain were deliberately blocking queries (something i confirmed from the NS box using dnstracer).  The MX query works fine with the Google 8.8.8.8 resolver or indeed the AWS VPC default resolver (which we cannot rely on, see above).</div><div class="gmail_default" style="font-size:small;color:rgb(34,34,34);font-family:arial,sans-serif;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div class="gmail_default" style="font-size:small;color:rgb(34,34,34);font-family:arial,sans-serif;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">I can't find a way to monitor for this condition (which manifests as SERVFAIL ultimately).  I've read the docs about how Unbound handles probes and backoff, but I don't see any metric exposed that would tell me the domains where this is happening.  If I could have a way to get the list of domains that display SERVFAIL, I could write an out-of-band script that attempts to resolve them via alternate paths and adds them to a whitelist config.</div><div class="gmail_default" style="font-size:small;color:rgb(34,34,34);font-family:arial,sans-serif;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div class="gmail_default" style="font-size:small;color:rgb(34,34,34);font-family:arial,sans-serif;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Thanks in advance for any suggestions</div><br clear="all"></div><div class="gmail_default">John</div><div><br></div>-- <br><div class="gmail-m_3068725701270486445gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><font color="#999999">JOHN <div class="gmail_default" style="font-size:small;display:inline">​​</div>PEACOCK</font></div><div dir="ltr"><span style="color:rgb(153,153,153);font-size:12.8px">lead software engineer - sre</span><font color="#999999"><br></font><div><br></div><div><font color="#999999">tel 877-887-3031 x239</font></div><div><font color="#999999">mobile 240-429-9334</font></div><div><font color="#999999">email <a href="mailto:john.peacock@sparkpost.com" target="_blank">john.peacock@sparkpost.com</a></font></div></div></div></div></div></div></div></div>
<input name="virtru-metadata" type="hidden" value="{"email-policy":{"state":"closed","expirationUnit":"days","disableCopyPaste":false,"disablePrint":false,"disableForwarding":false,"expires":false,"isManaged":false},"attachments":{},"compose-window":{"secure":false}}"></div>