You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by jpff <jp...@codemist.co.uk> on 2016/06/03 16:19:26 UTC
DNS again
X-Originating-<%= hostname %>-IP: [217.155.197.248]
OK I expect to get flamed but anyway....
I run a couple of mailers, one of which is small with ~5 users. For
years I ran dnsmasq which was easy to set up and only gave occasional
troubles with the RBL lookups being rejected from my ISP (hi Zen!). I
knew why but it did not seem to cause much problem in stopping spam.
But with the latest outbreak of discussion and some spare time I
changed to use unbound which was suggested by someone. Apart from one
semi-error in the instructions it was easy to deploy
BUT....
I as still seeing the occasional URIBL_BLOCKED
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: zakofr.top]
I thought the recursive caching dns system was supposed to remove
this. Just seeking enlightenment.
==John ffitch
Re: DNS again
Posted by Benny Pedersen <me...@junc.eu>.
On 2016-06-04 07:56, Patrick Ben Koetter wrote:
> ACk for unbound.
ACK for better dns books to newcommers like me :)
> Is is a very versatile, fast and stable recursive nameserver. We run it
> as
> Recursive DNS at ISPs where, for example at one location, it serves +20
> million customers.
#/etc/bind/named.conf
comment forwards in options
#/etc/resolv.conf
nameserver 127.0.0.1
reboot
job done for non DNSSEC setup
Re: DNS again
Posted by Patrick Ben Koetter <p...@sys4.de>.
* Reindl Harald <h....@thelounge.net>:
>
>
> Am 03.06.2016 um 18:40 schrieb Benny Pedersen:
> >On 2016-06-03 18:33, Andy Balholm wrote:
> >>I was using unbound as a local resolver. All queries were going to
> >>127.0.0.1, and there was no forwarding set up.
> >
> >that disqullify unbound then
>
> please stop spreading bullshit
> unbound works perfectly as recursive nameserver
ACk for unbound.
Is is a very versatile, fast and stable recursive nameserver. We run it as
Recursive DNS at ISPs where, for example at one location, it serves +20
million customers.
p@rick
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schlei�heimer Stra�e 26/MG,80333 M�nchen
Sitz der Gesellschaft: M�nchen, Amtsgericht M�nchen: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Re: DNS again
Posted by Reindl Harald <h....@thelounge.net>.
Am 03.06.2016 um 18:40 schrieb Benny Pedersen:
> On 2016-06-03 18:33, Andy Balholm wrote:
>> I was using unbound as a local resolver. All queries were going to
>> 127.0.0.1, and there was no forwarding set up.
>
> that disqullify unbound then
please stop spreading bullshit
unbound works perfectly as recursive nameserver
unbound.conf:
cache-min-ttl: 120
and oh wonder - even URIBL/DNSBL responses with a exreme low TTL of a
few seconds got cached - show me a different resolver with that option
Re: DNS again
Posted by Benny Pedersen <me...@junc.eu>.
On 2016-06-03 18:33, Andy Balholm wrote:
> I was using unbound as a local resolver. All queries were going to
> 127.0.0.1, and there was no forwarding set up.
that disqullify unbound then
Re: DNS again
Posted by Andy Balholm <an...@balholm.com>.
I was using unbound as a local resolver. All queries were going to 127.0.0.1, and there was no forwarding set up.
Andy
Re: DNS again
Posted by Benny Pedersen <me...@junc.eu>.
On 2016-06-03 18:23, Andy Balholm wrote:
> Where is your mail server hosted. URIBL blocks queries from some cloud
> providers (including DigitalOcean) unless you have a subscription. For
> a while I had a mail server hosted on DO, and I was paying more for my
> URIBL subscription than for my hosting.
how did you configure dns there ?
all can pay, its just not needed, not even on DO
Re: DNS again
Posted by jpff <jp...@codemist.co.uk>.
Mailserver is in this house, running Debian.
On Fri, 3 Jun 2016, Andy Balholm wrote:
> I was wondering if your mail server is an on-premises physical machine, or
> something hosted in a data center somewhere. If it\u2019s in a data center, what
> data center?
>
> On Jun 3, 2016, at 10:47 AM, John <jp...@codemist.co.uk> wrote:
>
> The mail server is my machine with no other server, unless I have
> misunderstood the question
> ==John ff
>
> On 3 Jun 2016, at 17:23, Andy Balholm <an...@balholm.com> wrote:
>
> Where is your mail server hosted. URIBL blocks queries from some cloud provi
> ders (including DigitalOcean) unless you have a subscription. For a while I
> had a mail server hosted on DO, and I was paying more for my URIBL subscript
> ion than for my hosting.
> Andy
>
>
>
>
Re: DNS again
Posted by Andy Balholm <an...@balholm.com>.
I was wondering if your mail server is an on-premises physical machine, or something hosted in a data center somewhere. If it’s in a data center, what data center?
> On Jun 3, 2016, at 10:47 AM, John <jp...@codemist.co.uk> wrote:
>
> The mail server is my machine with no other server, unless I have misunderstood the question
> ==John ff
> On 3 Jun 2016, at 17:23, Andy Balholm <andy@balholm.com <ma...@balholm.com>> wrote:
> Where is your mail server hosted. URIBL blocks queries from some cloud providers (including DigitalOcean) unless you have a subscription. For a while I had a mail server hosted on DO, and I was paying more for my URIBL subscription than for my hosting.
>
> Andy
Re: DNS again
Posted by Andy Balholm <an...@balholm.com>.
Where is your mail server hosted. URIBL blocks queries from some cloud providers (including DigitalOcean) unless you have a subscription. For a while I had a mail server hosted on DO, and I was paying more for my URIBL subscription than for my hosting.
Andy
Re: DNS again
Posted by "Daniel J. Luke" <dl...@geeklair.net>.
On Jun 3, 2016, at 12:51 PM, Daniel J. Luke <dl...@geeklair.net> wrote:
>> if the first hop in dns is 127.0.0.1 it works
>
> that's not how +trace works
oh, nevermind - you are right. It will query for the root servers from your configured resolvers.
--
Daniel J. Luke
Re: DNS again
Posted by "Daniel J. Luke" <dl...@geeklair.net>.
On Jun 3, 2016, at 12:30 PM, Benny Pedersen <me...@junc.eu> wrote:
> dig +trace ipv4.google.com
>
> if the first hop in dns is 127.0.0.1 it works
that's not how +trace works
from the manpage:
When tracing is enabled, dig makes iterative queries to resolve
the name being looked up. It will follow referrals from the root
servers, showing the answer from each server that was used to
resolve the lookup.
If @server is also specified, it affects only the initial query
for the root zone name servers.
> make sure /etc/resolv.conf only have one single line with nameserver 127.0.0.1 nothing more nothing less
good advise.
> drop unbound if it cant make it right, replace it with bind9
either works fine if configured correctly (and not so well if configured incorrectly).
--
Daniel J. Luke
Re: DNS again
Posted by Benny Pedersen <me...@junc.eu>.
On 2016-06-03 18:19, jpff wrote:
> I as still seeing the occasional URIBL_BLOCKED
do your homework :=)
dig +trace ipv4.google.com
if the first hop in dns is 127.0.0.1 it works
make sure /etc/resolv.conf only have one single line with nameserver
127.0.0.1 nothing more nothing less
dig is part of bind9-tools
drop unbound if it cant make it right, replace it with bind9
possible your unbound have forward servers ?, doh
i am happy with bind9
Re: DNS again
Posted by Reindl Harald <h....@thelounge.net>.
Am 04.06.2016 um 11:41 schrieb Tom Hendrikx:
> On 03-06-16 18:19, jpff wrote:
>> X-Originating-<%= hostname %>-IP: [217.155.197.248]
>>
>> OK I expect to get flamed but anyway....
>>
>> I as still seeing the occasional URIBL_BLOCKED
>>
>> 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
>> See
>> http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
>> for more information.
>> [URIs: zakofr.top]
>>
>> I thought the recursive caching dns system was supposed to remove
>> this. Just seeking enlightenment.
>> ==John ffitch
>>
>
> Which OS is this? The default setting on ubuntu 14.04 for unbound was
> unfortunately that the init script automatically added upstream dns
> servers as forwarders, which effectively mimics the dnsmasq behaviour
> that gives troubles for spamassassin.
>
> To fix that behaviour, set RESOLVCONF_FORWARDERS=false in
> /etc/default/unbound, and restart unbound.
most likely because it's a desktop distribution and unbound becomes
widely used in default setups to enforce DNSSEC which would with direct
recursion break local area networks especially when you change between them
if it comes to servers - just do your homework and learn to configure
the few services you are using and especially how to *verify* what you
*think* you have configured
[root@mail-gw:~]$ cat /etc/unbound/unbound.conf
server:
verbosity: 1
statistics-interval: 86400
statistics-cumulative: no
extended-statistics: no
num-threads: 1
outgoing-range: 1024
num-queries-per-thread: 512
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
so-rcvbuf: 4m
so-sndbuf: 4m
minimal-responses: yes
msg-cache-size: 32m
neg-cache-size: 32m
rrset-cache-size: 64m
cache-min-ttl: 90
cache-max-ttl: 10800
interface: 127.0.0.1
access-control: 127.0.0.0/8 allow
interface-automatic: no
port: 53
do-ip4: yes
do-ip6: no
do-udp: yes
max-udp-size: 1024
edns-buffer-size: 1024
do-tcp: yes
do-daemonize: yes
username: "unbound"
use-syslog: yes
log-time-ascii: yes
pidfile: "/run/unbound/unbound.pid"
hide-identity: yes
hide-version: yes
harden-glue: yes
harden-dnssec-stripped: no
harden-referral-path: no
use-caps-for-id: no
unwanted-reply-threshold: 10000000
do-not-query-localhost: no
prefetch: yes
prefetch-key: yes
Re: DNS again
Posted by Reindl Harald <h....@thelounge.net>.
Am 04.06.2016 um 14:40 schrieb jpff:
> Thank you -- did not realise the /etc/default/unbound file existed. It
> was set to forward. Will remind me how I prefer instllatins from source
> for critical programs.
> Unbound installed from Debian Whezzy
nonsense - you don't need to compile anything from source, just write a
proper config file with no includes and you are done
the same for httpd and what not else
> On Sat, 4 Jun 2016, Tom Hendrikx wrote:
>
>> On 03-06-16 18:19, jpff wrote:
>>> X-Originating-<%= hostname %>-IP: [217.155.197.248]
>>>
>>> OK I expect to get flamed but anyway....
>>>
>>> I run a couple of mailers, one of which is small with ~5 users. For
>>> years I ran dnsmasq which was easy to set up and only gave occasional
>>> troubles with the RBL lookups being rejected from my ISP (hi Zen!). I
>>> knew why but it did not seem to cause much problem in stopping spam.
>>> But with the latest outbreak of discussion and some spare time I
>>> changed to use unbound which was suggested by someone. Apart from one
>>> semi-error in the instructions it was easy to deploy
>>>
>>> BUT....
>>>
>>> I as still seeing the occasional URIBL_BLOCKED
>>>
>>> 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL
>>> was blocked.
>>> See
>>>
>>> http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
>>> for more information.
>>> [URIs: zakofr.top]
>>>
>>> I thought the recursive caching dns system was supposed to remove
>>> this. Just seeking enlightenment.
>>> ==John ffitch
>>>
>>
>> Which OS is this? The default setting on ubuntu 14.04 for unbound was
>> unfortunately that the init script automatically added upstream dns
>> servers as forwarders, which effectively mimics the dnsmasq behaviour
>> that gives troubles for spamassassin.
>>
>> To fix that behaviour, set RESOLVCONF_FORWARDERS=false in
>> /etc/default/unbound, and restart unbound
Re: DNS again
Posted by jpff <jp...@codemist.co.uk>.
Thank you -- did not realise the /etc/default/unbound file existed. It was
set to forward. Will remind me how I prefer instllatins from source for
critical programs.
Unbound installed from Debian Whezzy
On Sat, 4 Jun 2016, Tom Hendrikx wrote:
> On 03-06-16 18:19, jpff wrote:
>> X-Originating-<%= hostname %>-IP: [217.155.197.248]
>>
>> OK I expect to get flamed but anyway....
>>
>> I run a couple of mailers, one of which is small with ~5 users. For
>> years I ran dnsmasq which was easy to set up and only gave occasional
>> troubles with the RBL lookups being rejected from my ISP (hi Zen!). I
>> knew why but it did not seem to cause much problem in stopping spam.
>> But with the latest outbreak of discussion and some spare time I
>> changed to use unbound which was suggested by someone. Apart from one
>> semi-error in the instructions it was easy to deploy
>>
>> BUT....
>>
>> I as still seeing the occasional URIBL_BLOCKED
>>
>> 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
>> See
>> http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
>> for more information.
>> [URIs: zakofr.top]
>>
>> I thought the recursive caching dns system was supposed to remove
>> this. Just seeking enlightenment.
>> ==John ffitch
>>
>
> Which OS is this? The default setting on ubuntu 14.04 for unbound was
> unfortunately that the init script automatically added upstream dns
> servers as forwarders, which effectively mimics the dnsmasq behaviour
> that gives troubles for spamassassin.
>
> To fix that behaviour, set RESOLVCONF_FORWARDERS=false in
> /etc/default/unbound, and restart unbound.
>
> Regards,
> Tom
>
>
Re: DNS again
Posted by Tom Hendrikx <to...@whyscream.net>.
On 03-06-16 18:19, jpff wrote:
> X-Originating-<%= hostname %>-IP: [217.155.197.248]
>
> OK I expect to get flamed but anyway....
>
> I run a couple of mailers, one of which is small with ~5 users. For
> years I ran dnsmasq which was easy to set up and only gave occasional
> troubles with the RBL lookups being rejected from my ISP (hi Zen!). I
> knew why but it did not seem to cause much problem in stopping spam.
> But with the latest outbreak of discussion and some spare time I
> changed to use unbound which was suggested by someone. Apart from one
> semi-error in the instructions it was easy to deploy
>
> BUT....
>
> I as still seeing the occasional URIBL_BLOCKED
>
> 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
> See
> http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
> for more information.
> [URIs: zakofr.top]
>
> I thought the recursive caching dns system was supposed to remove
> this. Just seeking enlightenment.
> ==John ffitch
>
Which OS is this? The default setting on ubuntu 14.04 for unbound was
unfortunately that the init script automatically added upstream dns
servers as forwarders, which effectively mimics the dnsmasq behaviour
that gives troubles for spamassassin.
To fix that behaviour, set RESOLVCONF_FORWARDERS=false in
/etc/default/unbound, and restart unbound.
Regards,
Tom