diff --git a/management/dns_update.py b/management/dns_update.py index ccbebc8..ba9a596 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -490,7 +490,7 @@ zone: # Get the IP address of the nameserver by resolving it. hostname = additional_records.get("_secondary_nameserver") resolver = dns.resolver.get_default_resolver() - response = dns.resolver.query(hostname, "A") + response = dns.resolver.query(hostname+'.', "A") ipaddr = str(response[0]) nsdconf += """\tnotify: %s NOKEY provide-xfr: %s NOKEY diff --git a/management/status_checks.py b/management/status_checks.py index 5351a67..86f83d0 100755 --- a/management/status_checks.py +++ b/management/status_checks.py @@ -347,7 +347,15 @@ def check_web_domain(domain, env): check_ssl_cert(domain, env) def query_dns(qname, rtype, nxdomain='[Not Set]'): - resolver = dns.resolver.get_default_resolver() + # Make the qname absolute by appending a period. Without this, dns.resolver.query + # will fall back a failed lookup to a second query with this machine's hostname + # appended. This has been causing some false-positive Spamhaus reports. The + # reverse DNS lookup will pass a dns.name.Name instance which is already + # absolute so we should not modify that. + if isinstance(qname, str): + qname += "." + + # Do the query. try: response = dns.resolver.query(qname, rtype) except (dns.resolver.NoNameservers, dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):