You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Chris J <ce...@nightwolf.org.uk> on 2016/01/04 21:28:31 UTC

DNS lookups - bug with recursive lookups, or shoddy bind config?

Before I raise this on Bugzilla, I just want to run this past people as 
I'm quite happy that I've failed to configure something, but can't see what.

In short, RBL blacklists haven't been working and I've finally, with 
tcpdump, traced it to SpamAssassin not requesting recursive queries.

The setup is:
	Linux - Debian Jessie 8.2
	Bind - 9.9.5-9+deb8u3-Debian
	SpamAssassin - installed from CPAN, 3.4.1
	Perl - 5.20.2
	Net::DNS - 1.01

Bind running locally, /etc/resolv.conf pointing to 127.0.0.1.

When running spamassassin -D dns < spam.test > /dev/null, all the DNS 
blacklist queries return 0 results, taking an extract:

Jan  4 20:13:11.853 [21025] dbg: dns: attempt 1/1, trying connect/sendto 
to [127.0.0.1]:53
Jan  4 20:13:11.854 [21025] dbg: dns: providing a callback for id: 
60328/IN/A/123.119.167.104.DnSBl.iNpS.DE
	[...]
Jan  4 20:13:11.914 [21025] dbg: dns: dns reply 60328 is OK, 0 answer 
records

However, that entry does have a record:
	$ host 123.119.167.104.DnSBl.iNpS.DE
	123.119.167.104.dnsbl.inps.de has address 127.0.0.2
	$

Looking at tcpdump, it shows me this from SpamAssassin:

20:17:28.932550 IP localhost.20171 > localhost.domain: 51533 [1au] A? 
123.119.167.104.dNsbL.InPS.de. (58)
20:17:28.932622 IP localhost.domain > localhost.20171: 51533 0/2/3 (150)

But with host, I get:

20:18:16.828275 IP localhost.56176 > localhost.domain: 16674+ A? 
123.119.167.104.DnSBl.iNpS.DE. (47)
20:18:16.845783 IP localhost.domain > localhost.56176: 16674 1/2/2 A 
127.0.0.2 (179)

I've done some poking, and the '+' after the query number marks it as 
recursive. I can confirm this with "dig +norecurse".

Looking through the code, and looking at things from Google, it appears 
Net::DNS should be doing recursive queries by default, but the code 
that's doing the query is Net::DNS::Packet. I've made a change to 
DnsResolver.pm (line 578) as below, and now SpamAssassin is doing 
recursive queries, and my DNS blacklists work:

     $domain =~ s{ ( [\000-\037\177-\377\\] ) }
                 { $1 eq '\\' ? "\\$1" : sprintf("\\%03d",ord($1)) }xgse;

     $packet = Net::DNS::Packet->new($domain, $type, $class);
     #CEJ: set RD bit to force recursion
     $packet->header->rd(1);

With this, the DNS debug log now says:

Jan  4 20:24:14.250 [21122] dbg: dns: providing a callback for id: 
53008/IN/A/123.119.167.104.dNSBl.iNps.dE
Jan  4 20:24:14.309 [21122] dbg: dns: dns reply 53008 is OK, 1 answer 
records
Jan  4 20:24:14.309 [21122] dbg: dns: hit 
<dns:123.119.167.104.dNSBl.iNps.dE> 127.0.0.2

Now I'm doubtful I've found a bug as I'm sure I'd see more problems 
having spent a while searching interwebs. It could be my Bind config? 
But the SA wiki just says the default config of Bind from the Debian 
releases should be good 
(https://wiki.apache.org/spamassassin/CachingNameserver ).

Let me know if any more information (config files, etc) are needed and I 
can supply.

Regards,

Chris

Re: DNS lookups - bug with recursive lookups, or shoddy bind config?

Posted by Chris J <ce...@nightwolf.org.uk>.

On 04/01/2016 20:48, Joe Quinn wrote:
> By the way, have you considered subscribing to the dev@ list and
> contributing to SA? You ran through this issue pretty much perfectly,
> other than the bad luck with our Bugzilla's results on Google.

Time is my main issue (that and being a rather rusty with perl) :-) 
Although looking at the archives, it's fairly low traffic so yes, I'll 
throw a subscription in and see how it goes.

Cheers,

Chris

Re: DNS lookups - bug with recursive lookups, or shoddy bind config?

Posted by Joe Quinn <jq...@pccc.com>.

On 1/4/2016 3:39 PM, Quanah Gibson-Mount wrote:
> --On Monday, January 04, 2016 8:28 PM +0000 Chris J 
> <ce...@nightwolf.org.uk> wrote:
>
>> Before I raise this on Bugzilla, I just want to run this past people as
>> I'm quite happy that I've failed to configure something, but can't see
>> what.
>>
>> In short, RBL blacklists haven't been working and I've finally, with
>> tcpdump, traced it to SpamAssassin not requesting recursive queries.
>>
>> The setup is:
>>     Linux - Debian Jessie 8.2
>>     Bind - 9.9.5-9+deb8u3-Debian
>>     SpamAssassin - installed from CPAN, 3.4.1
>>     Perl - 5.20.2
>>     Net::DNS - 1.01
>
> If you're using Net::DNS 1.01 or later, you must patch SA.  There is 
> an entire thread dedicated to this issue.
>
> <https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7223>
> <https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7231>
> <https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7265>
>
> 7265 is only required for 1.03 (not necessary for 1.01, 1.02, or 1.04).
>
> --Quanah
>
> -- 
>
> Quanah Gibson-Mount
> Platform Architect
> Zimbra, Inc.
> --------------------
> Zimbra ::  the leader in open source messaging and collaboration
By the way, have you considered subscribing to the dev@ list and 
contributing to SA? You ran through this issue pretty much perfectly, 
other than the bad luck with our Bugzilla's results on Google.

Re: DNS lookups - bug with recursive lookups, or shoddy bind config?

Posted by Chris J <ce...@nightwolf.org.uk>.

On 04/01/2016 20:39, Quanah Gibson-Mount wrote:
>
> If you're using Net::DNS 1.01 or later, you must patch SA.  There is an
> entire thread dedicated to this issue.
>
> <https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7223>
> <https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7231>
> <https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7265>
>
> 7265 is only required for 1.03 (not necessary for 1.01, 1.02, or 1.04).
>

Magic - thanks. Google wouldn't spit out that Bugzilla issue - only 
found old threads about DNSBL not working, and couldn't see anything on 
the SA wiki about it.

http://wiki.apache.org/spamassassin/DnsBlocklists only makes reference 
to "make sure Net::DNS is installed".

Thanks for the pointer to the right bug :-)

Cheers,

Chris

Re: DNS lookups - bug with recursive lookups, or shoddy bind config?

Posted by Quanah Gibson-Mount <qu...@zimbra.com>.

--On Monday, January 04, 2016 8:28 PM +0000 Chris J <ce...@nightwolf.org.uk> 
wrote:

> Before I raise this on Bugzilla, I just want to run this past people as
> I'm quite happy that I've failed to configure something, but can't see
> what.
>
> In short, RBL blacklists haven't been working and I've finally, with
> tcpdump, traced it to SpamAssassin not requesting recursive queries.
>
> The setup is:
> 	Linux - Debian Jessie 8.2
> 	Bind - 9.9.5-9+deb8u3-Debian
> 	SpamAssassin - installed from CPAN, 3.4.1
> 	Perl - 5.20.2
> 	Net::DNS - 1.01

If you're using Net::DNS 1.01 or later, you must patch SA.  There is an 
entire thread dedicated to this issue.

<https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7223>
<https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7231>
<https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7265>

7265 is only required for 1.03 (not necessary for 1.01, 1.02, or 1.04).

--Quanah

--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration