You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Chris J <ce...@nightwolf.org.uk> on 2016/01/04 21:28:31 UTC
DNS lookups - bug with recursive lookups, or shoddy bind config?
Before I raise this on Bugzilla, I just want to run this past people as
I'm quite happy that I've failed to configure something, but can't see what.
In short, RBL blacklists haven't been working and I've finally, with
tcpdump, traced it to SpamAssassin not requesting recursive queries.
The setup is:
Linux - Debian Jessie 8.2
Bind - 9.9.5-9+deb8u3-Debian
SpamAssassin - installed from CPAN, 3.4.1
Perl - 5.20.2
Net::DNS - 1.01
Bind running locally, /etc/resolv.conf pointing to 127.0.0.1.
When running spamassassin -D dns < spam.test > /dev/null, all the DNS
blacklist queries return 0 results, taking an extract:
Jan 4 20:13:11.853 [21025] dbg: dns: attempt 1/1, trying connect/sendto
to [127.0.0.1]:53
Jan 4 20:13:11.854 [21025] dbg: dns: providing a callback for id:
60328/IN/A/123.119.167.104.DnSBl.iNpS.DE
[...]
Jan 4 20:13:11.914 [21025] dbg: dns: dns reply 60328 is OK, 0 answer
records
However, that entry does have a record:
$ host 123.119.167.104.DnSBl.iNpS.DE
123.119.167.104.dnsbl.inps.de has address 127.0.0.2
$
Looking at tcpdump, it shows me this from SpamAssassin:
20:17:28.932550 IP localhost.20171 > localhost.domain: 51533 [1au] A?
123.119.167.104.dNsbL.InPS.de. (58)
20:17:28.932622 IP localhost.domain > localhost.20171: 51533 0/2/3 (150)
But with host, I get:
20:18:16.828275 IP localhost.56176 > localhost.domain: 16674+ A?
123.119.167.104.DnSBl.iNpS.DE. (47)
20:18:16.845783 IP localhost.domain > localhost.56176: 16674 1/2/2 A
127.0.0.2 (179)
I've done some poking, and the '+' after the query number marks it as
recursive. I can confirm this with "dig +norecurse".
Looking through the code, and looking at things from Google, it appears
Net::DNS should be doing recursive queries by default, but the code
that's doing the query is Net::DNS::Packet. I've made a change to
DnsResolver.pm (line 578) as below, and now SpamAssassin is doing
recursive queries, and my DNS blacklists work:
$domain =~ s{ ( [\000-\037\177-\377\\] ) }
{ $1 eq '\\' ? "\\$1" : sprintf("\\%03d",ord($1)) }xgse;
$packet = Net::DNS::Packet->new($domain, $type, $class);
#CEJ: set RD bit to force recursion
$packet->header->rd(1);
With this, the DNS debug log now says:
Jan 4 20:24:14.250 [21122] dbg: dns: providing a callback for id:
53008/IN/A/123.119.167.104.dNSBl.iNps.dE
Jan 4 20:24:14.309 [21122] dbg: dns: dns reply 53008 is OK, 1 answer
records
Jan 4 20:24:14.309 [21122] dbg: dns: hit
<dns:123.119.167.104.dNSBl.iNps.dE> 127.0.0.2
Now I'm doubtful I've found a bug as I'm sure I'd see more problems
having spent a while searching interwebs. It could be my Bind config?
But the SA wiki just says the default config of Bind from the Debian
releases should be good
(https://wiki.apache.org/spamassassin/CachingNameserver ).
Let me know if any more information (config files, etc) are needed and I
can supply.
Regards,
Chris
Re: DNS lookups - bug with recursive lookups, or shoddy bind config?
Posted by Chris J <ce...@nightwolf.org.uk>.
On 04/01/2016 20:48, Joe Quinn wrote:
> By the way, have you considered subscribing to the dev@ list and
> contributing to SA? You ran through this issue pretty much perfectly,
> other than the bad luck with our Bugzilla's results on Google.
Time is my main issue (that and being a rather rusty with perl) :-)
Although looking at the archives, it's fairly low traffic so yes, I'll
throw a subscription in and see how it goes.
Cheers,
Chris
Re: DNS lookups - bug with recursive lookups, or shoddy bind config?
Posted by Joe Quinn <jq...@pccc.com>.
On 1/4/2016 3:39 PM, Quanah Gibson-Mount wrote:
> --On Monday, January 04, 2016 8:28 PM +0000 Chris J
> <ce...@nightwolf.org.uk> wrote:
>
>> Before I raise this on Bugzilla, I just want to run this past people as
>> I'm quite happy that I've failed to configure something, but can't see
>> what.
>>
>> In short, RBL blacklists haven't been working and I've finally, with
>> tcpdump, traced it to SpamAssassin not requesting recursive queries.
>>
>> The setup is:
>> Linux - Debian Jessie 8.2
>> Bind - 9.9.5-9+deb8u3-Debian
>> SpamAssassin - installed from CPAN, 3.4.1
>> Perl - 5.20.2
>> Net::DNS - 1.01
>
> If you're using Net::DNS 1.01 or later, you must patch SA. There is
> an entire thread dedicated to this issue.
>
> <https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7223>
> <https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7231>
> <https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7265>
>
> 7265 is only required for 1.03 (not necessary for 1.01, 1.02, or 1.04).
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Platform Architect
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
By the way, have you considered subscribing to the dev@ list and
contributing to SA? You ran through this issue pretty much perfectly,
other than the bad luck with our Bugzilla's results on Google.
Re: DNS lookups - bug with recursive lookups, or shoddy bind config?
Posted by Chris J <ce...@nightwolf.org.uk>.
On 04/01/2016 20:39, Quanah Gibson-Mount wrote:
>
> If you're using Net::DNS 1.01 or later, you must patch SA. There is an
> entire thread dedicated to this issue.
>
> <https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7223>
> <https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7231>
> <https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7265>
>
> 7265 is only required for 1.03 (not necessary for 1.01, 1.02, or 1.04).
>
Magic - thanks. Google wouldn't spit out that Bugzilla issue - only
found old threads about DNSBL not working, and couldn't see anything on
the SA wiki about it.
http://wiki.apache.org/spamassassin/DnsBlocklists only makes reference
to "make sure Net::DNS is installed".
Thanks for the pointer to the right bug :-)
Cheers,
Chris
Re: DNS lookups - bug with recursive lookups, or shoddy bind
config?
Posted by Quanah Gibson-Mount <qu...@zimbra.com>.
--On Monday, January 04, 2016 8:28 PM +0000 Chris J <ce...@nightwolf.org.uk>
wrote:
> Before I raise this on Bugzilla, I just want to run this past people as
> I'm quite happy that I've failed to configure something, but can't see
> what.
>
> In short, RBL blacklists haven't been working and I've finally, with
> tcpdump, traced it to SpamAssassin not requesting recursive queries.
>
> The setup is:
> Linux - Debian Jessie 8.2
> Bind - 9.9.5-9+deb8u3-Debian
> SpamAssassin - installed from CPAN, 3.4.1
> Perl - 5.20.2
> Net::DNS - 1.01
If you're using Net::DNS 1.01 or later, you must patch SA. There is an
entire thread dedicated to this issue.
<https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7223>
<https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7231>
<https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7265>
7265 is only required for 1.03 (not necessary for 1.01, 1.02, or 1.04).
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration