You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Mike Bostock <sp...@yew-tree.co.uk> on 2009/04/02 22:34:26 UTC
OpenDNS and Spamassassin
Since starting to use OpenDNS and using their servers as forwarders for my
server at home I am seeing loads of this below in the logs.
named[]: unexpected RCODE (SERVFAIL) resolving
'btinternet.com.multi.uribl.com/A/IN': 208.67.220.220#53
I am assuming it is SpamAssassin causing this but I could be wrong.
If anyone can point me in the direction of some assistance I would be very
grateful.
--
Mike
Re: OpenDNS and Spamassassin
Posted by Jari Fredriksson <ja...@iki.fi>.
> On 4/2/2009 10:34 PM, Mike Bostock wrote:
>>
>> If anyone can point me in the direction of some
>> assistance I would be very grateful.
>>
>
> http://forums.opendns.com/comments.php?DiscussionID=3423&page=1
http://www.opendns.com/support/article/33
Re: FW: OpenDNS and Spamassassin
Posted by Rob McEwen <ro...@invaluement.com>.
Michael Scheidell wrote:
> Uribl should probaly get an rsync of the zones, if they are doing 50mm
> queries a day, imagine what will hit urlbl servers directly, since opendns
> caches the queries.
>
> (I think a opendns does this with some of the more popular zones anyway)
> This would be good for opendns and urlbl
I can't speak for uribl, but I do have first hand evidence that many
quickly try to use OpenDNS as a means to get around paying subscriptions
to commercial DNSBLs, or partly commercial DNSBLs. (I highly doubt that
very much of this is from sys admins who happened to already use OpenDNS
and then tried out uribl.)
Therefore, if URIBL provided OpenDNS an rsync feed, three things would
happen:
(1) MANY ISPs and spam filtering vendors would flock to it to avoid
having to pay for a URIBL data feed
(2) MUCH of uribl's current revenue would dry up, making the long-term
viability of uribl more 'at risk'
(3) Finally, OpenDNS would get so massively slammed with queries in a
way that does NOT generate revenue for OpenDNS... only more expense,
more servers to manage, and more bandwidth... such that THEY would be
the ones shutting this down (eventually)
Therefore, the best solution is for OpenDNS to simply cut these queries
off "in house" before they even have a chance of hitting URIBL, thus
saving them and URIBL some CPU cycles and bandwidth (I'd bet that this
is already happening)
--
Rob McEwen
http://dnsbl.invaluement.com/
rob@invaluement.com
+1 (478) 475-9032
FW: OpenDNS and Spamassassin
Posted by Michael Scheidell <sc...@secnap.net>.
>
> http://forums.opendns.com/comments.php?DiscussionID=3423&page=1
>
>>
Uribl should probaly get an rsync of the zones, if they are doing 50mm
queries a day, imagine what will hit urlbl servers directly, since opendns
caches the queries.
(I think a opendns does this with some of the more popular zones anyway)
This would be good for opendns and urlbl
--
Michael Scheidell, CTO
>|SECNAP Network Security
Finalist 2009 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer
------ End of Forwarded Message
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
Re: OpenDNS and Spamassassin
Posted by Yet Another Ninja <sa...@alexb.ch>.
On 4/2/2009 10:34 PM, Mike Bostock wrote:
> Since starting to use OpenDNS and using their servers as forwarders for my
> server at home I am seeing loads of this below in the logs.
>
> named[]: unexpected RCODE (SERVFAIL) resolving
> 'btinternet.com.multi.uribl.com/A/IN': 208.67.220.220#53
>
> I am assuming it is SpamAssassin causing this but I could be wrong.
>
> If anyone can point me in the direction of some assistance I would be very
> grateful.
>
http://forums.opendns.com/comments.php?DiscussionID=3423&page=1
Re: OpenDNS and Spamassassin
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
>> Personally I wouldn't use OpenDNS on a server (except maybe for
>> squid). It's not a normal DNS server, it does things that are aimed at
>> browsers like spelling correction, and redirecting failures to it's own
>> web servers. The latter presumably breaks the NO_DNS_FOR_FROM test,
>> and I wouldn't be surprised if other tests are affected too.
> While this is generally true of most DNS services LIKE OpenDNS, OpenDNS
> itself is pretty clueful. Unlike the people at uribl...
>
> "onoes, we're getting 50 million hits a day from openDNS, let's block them,
> annoy all their users, and not reduce our hits at all because people will
> simply reconfigure to hit us directly instead of via OpenDNS. But at least
> those 50 million hits will be over slower links, and consume more of our
> resources. yeah, that's a GREAT idea."
>
> Or am I wrong? I could be wrong.
Yes you are and think twice before posting a statement like this. It
doesnt make you look smart judging about things you have no clue about at
all. Things like this dont fall out of the sky just like that, most likely
there is a history.
More RBL providers are talking about this with OpenDNS and yes many large
company's try to walk around RBL policy's and switch to OpenDNS and this
is one of the reasons they are blocked by not only URIBL but several RBL
providers. We (SURBL) have the same issues and are talking in depth with
OpenDNS to get this resolved.
I feel sorry for you if you start shouting around people at URIBL are not
cluefull, this is your problem and i dont share this with you.
Knowing you and seeing what you do on mailingists this will most likely
turn out in a neverending thread. Bare you, this is a one time post. I
have said what i wanted. No need to argue about it.
Bye,
Raymond.
Re: OpenDNS and Spamassassin
Posted by Benny Pedersen <me...@junc.org>.
On Fri, April 3, 2009 02:24, LuKreme wrote:
> Or am I wrong? I could be wrong.
Bittorrent is slow to :)
firefox with proxy to squid on a host with multi-isp uplinks is bad
also, since it just use one isp lines that are slow
dns is udp, and works very fast if one let it, what uribl can do is
to extend cache ttl if there servers cant handle the loads
--
http://localhost/ 100% uptime and 100% mirrored :)
Re: OpenDNS and Spamassassin
Posted by LuKreme <kr...@kreme.com>.
On 2-Apr-2009, at 15:52, RW wrote:
> On Thu, 2 Apr 2009 21:34:26 +0100
> "Mike Bostock" <sp...@yew-tree.co.uk> wrote:
>
>> Since starting to use OpenDNS and using their servers as forwarders
>> for my server at home I am seeing loads of this below in the logs.
>>
>> named[]: unexpected RCODE (SERVFAIL) resolving
>> 'btinternet.com.multi.uribl.com/A/IN': 208.67.220.220#53
>>
>> I am assuming it is SpamAssassin causing this but I could be wrong.
>
> Personally I wouldn't use OpenDNS on a server (except maybe for
> squid). It's not a normal DNS server, it does things that are aimed at
> browsers like spelling correction, and redirecting failures to it's
> own
> web servers. The latter presumably breaks the NO_DNS_FOR_FROM test,
> and I wouldn't be surprised if other tests are affected too.
While this is generally true of most DNS services LIKE OpenDNS,
OpenDNS itself is pretty clueful. Unlike the people at uribl...
"onoes, we're getting 50 million hits a day from openDNS, let's block
them, annoy all their users, and not reduce our hits at all because
people will simply reconfigure to hit us directly instead of via
OpenDNS. But at least those 50 million hits will be over slower links,
and consume more of our resources. yeah, that's a GREAT idea."
Or am I wrong? I could be wrong.
--
There is NO Rule six!
Re: OpenDNS and Spamassassin
Posted by Aaron Wolfe <aa...@gmail.com>.
On Thu, Apr 2, 2009 at 8:32 PM, LuKreme <kr...@kreme.com> wrote:
> On 2-Apr-2009, at 15:56, Evan Platt wrote:
>>
>> I logged into our server, and saw the OpenDNS was resolving EVERYTHING -
>> blah.blah , nothing.nothing, etc.
>
> This is not a OpenDNS problem, this is a problem with the know-nothing who
> set it up for their system. I used OpenDNS for quite a while on my
> mailserver (several months) and had no such issue.
>
> Configure it right, and it works quite well, and it is VERY configurable.
>
>> Sorry, OpenDNS had to go.
>
>
> Or, you know, configured correctly.
>
> Each of these is a configuration option:
>
Trusting a critical service required by your network to a third party
who's basic business model involves tampering with that service seems
irresponsible at best.
Sure, you can disable all these "features" now, but when the
XYZfreeDNS marketing guys push for the next Big Thing to be enabled by
default, it's now your Big Problem.
DNS matters. It needs to work correctly *and* fail correctly. I'm not
saying OpenDNS has any bad intentions, but their motivation to change
DNS behavior is pretty clear.
If your mail just isn't important then maybe it's a neat thing, but
considering how easy it is to set up a working local DNS, I just don't
see the value.
-Aaron
> Allow users to create child networks
>
> Enable stats and logs
>
> Enable typo correction
> Exceptions for VPN users
> Enable filtering of .cm wildcard
>
> Block internal IP addresses
>
> Apply my shortcuts to this network
> Makes all your shortcuts work on this network, whether you're signed
> in or not.
>
> Enable OpenDNS proxy
> Routes certain address bar requests through a simple proxy, ensuring
> that your shortcuts and other OpenDNS features always work. For more
> details, including potential privacy issues you should be aware of, read our
> KB article.
>
> Enable Botnet protection on this network
> Blocks infected computers on your network from connecting to botnet
> central controllers. At this time, this feature blocks the Conficker virus,
> and will be expanded to include others.
>
> --
> You and me
> Sunday driving
> Not arriving
>
>
Re: OpenDNS and Spamassassin
Posted by Evan Platt <ev...@espphotography.com>.
At 05:32 PM 4/2/2009, you wrote:
>On 2-Apr-2009, at 15:56, Evan Platt wrote:
>>I logged into our server, and saw the OpenDNS was resolving
>>EVERYTHING - blah.blah , nothing.nothing, etc.
>
>This is not a OpenDNS problem, this is a problem with the know-nothing
>who set it up for their system. I used OpenDNS for quite a while on
>my mailserver (several months) and had no such issue.
>
>Configure it right, and it works quite well, and it is VERY
>configurable.
<Snip - configuration options>
So - which option is that? Enable typo correction ?
I don't see how resolving blah.blah to a OpenDNS IP is a typo correction....
Re: OpenDNS and Spamassassin
Posted by LuKreme <kr...@kreme.com>.
On 2-Apr-2009, at 15:56, Evan Platt wrote:
> I logged into our server, and saw the OpenDNS was resolving
> EVERYTHING - blah.blah , nothing.nothing, etc.
This is not a OpenDNS problem, this is a problem with the know-nothing
who set it up for their system. I used OpenDNS for quite a while on
my mailserver (several months) and had no such issue.
Configure it right, and it works quite well, and it is VERY
configurable.
> Sorry, OpenDNS had to go.
Or, you know, configured correctly.
Each of these is a configuration option:
Allow users to create child networks
Enable stats and logs
Enable typo correction
Exceptions for VPN users
Enable filtering of .cm wildcard
Block internal IP addresses
Apply my shortcuts to this network
Makes all your shortcuts work on this network, whether you're signed
in or not.
Enable OpenDNS proxy
Routes certain address bar requests through a simple proxy, ensuring
that your shortcuts and other OpenDNS features always work. For more
details, including potential privacy issues you should be aware of,
read our KB article.
Enable Botnet protection on this network
Blocks infected computers on your network from connecting to botnet
central controllers. At this time, this feature blocks the Conficker
virus, and will be expanded to include others.
--
You and me
Sunday driving
Not arriving
Re: OpenDNS and Spamassassin
Posted by John Hardin <jh...@impsec.org>.
On Thu, 2 Apr 2009, Mike Bostock wrote:
> Noted the stuff about OpenDNS being "not a proper DNS" and, as I have
> squid set up but not in use, I may just point squid at it and go back to
> using my ISP's DNS servers as forwarders.
You still need to keep an eye on it. Several (larger) ISPs have started
doing the same tricks with their primary customer DNS servers. Usually
they offer non-fscked DNS servers for clueful admins, but prying the
address(es) of those servers out of their knowledge base or support drones
can be a challenge.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Perfect Security and Absolute Safety are unattainable; beware
those who would try to sell them to you, regardless of the cost,
for they are trying to sell you your own slavery.
-----------------------------------------------------------------------
71 days since Obama's inauguration and still no unicorn!
Re: OpenDNS and Spamassassin
Posted by mouss <mo...@ml.netoyen.net>.
RW a écrit :
> On Fri, 3 Apr 2009 01:12:17 +0200 (CEST)
> "Benny Pedersen" <me...@junc.org> wrote:
>
>> On Fri, April 3, 2009 00:31, Mike Bostock wrote:
>>> Noted the stuff about OpenDNS being "not a proper DNS" and, as I
>>> have squid set up but not in use, I may just point squid at it
>>> and go back to using my ISP's DNS servers as forwarders.
>> bind works better without forwarders, it common error to belive isp
>> can handle more loads and cache, but no localhost rules
>
> Going through a forwarder cuts down the number of round trips, which
> can be a major speedup if you have poor latency. It can also insulate
> you, somewhat, from slow authoritative servers.
>
may be. but on the other hand, attackers need to target fewer servers.
For example, the impact of cache poisoning attacks is higher at sites
that forward for many clients...
I stopped using my ISP forwarder the day it told me my IP was listed on
spamhaus. be it a bug or a cache poison, I really don't care.
and I didn't notice any performance issues after I removed the forwarder.
Re: OpenDNS and Spamassassin
Posted by RW <rw...@googlemail.com>.
On Fri, 3 Apr 2009 01:12:17 +0200 (CEST)
"Benny Pedersen" <me...@junc.org> wrote:
>
> On Fri, April 3, 2009 00:31, Mike Bostock wrote:
> > Noted the stuff about OpenDNS being "not a proper DNS" and, as I
> > have squid set up but not in use, I may just point squid at it
> > and go back to using my ISP's DNS servers as forwarders.
>
> bind works better without forwarders, it common error to belive isp
> can handle more loads and cache, but no localhost rules
Going through a forwarder cuts down the number of round trips, which
can be a major speedup if you have poor latency. It can also insulate
you, somewhat, from slow authoritative servers.
Re: OpenDNS and Spamassassin
Posted by Benny Pedersen <me...@junc.org>.
On Fri, April 3, 2009 00:31, Mike Bostock wrote:
> Noted the stuff about OpenDNS being "not a proper DNS" and, as I
> have squid set up but not in use, I may just point squid at it
> and go back to using my ISP's DNS servers as forwarders.
bind works better without forwarders, it common error to belive isp
can handle more loads and cache, but no localhost rules
--
http://localhost/ 100% uptime and 100% mirrored :)
Re: OpenDNS and Spamassassin
Posted by Mike Bostock <sp...@yew-tree.co.uk>.
In your message regarding Re: OpenDNS and Spamassassin dated 02/04/2009,
Evan Platt said ...
>EP- At 02:52 PM 4/2/2009, you wrote:
> >Personally I wouldn't use OpenDNS on a server (except maybe for
> >squid). It's not a normal DNS server, it does things that are aimed at
> >browsers like spelling correction, and redirecting failures to it's own
> >web servers. The latter presumably breaks the NO_DNS_FOR_FROM test,
> >and I wouldn't be surprised if other tests are affected too.
>EP- Agreed. Bad idea.
>EP- One of our corporate customers for some reason wanted an opendns
>EP- server configured at their office, in addition to their dns servers.
>EP- They called when people weren't able to VPN using a Non FQDN (which
>EP- internally resolves on their dns - ie "eastcoast.home".
>EP- I logged into our server, and saw the OpenDNS was resolving
>EP- EVERYTHING - blah.blah , nothing.nothing, etc.
>EP- Sorry, OpenDNS had to go.
Thanks for the rapid response. Can I send all my BIND questions here? ;-)
Thanks to especially to "Yet Another Ninja" for pointing me in exactly the
right direction.
Noted the stuff about OpenDNS being "not a proper DNS" and, as I have
squid set up but not in use, I may just point squid at it and go back to
using my ISP's DNS servers as forwarders.
Thanks again.
--
Mike
Re: OpenDNS and Spamassassin
Posted by Evan Platt <ev...@espphotography.com>.
At 02:52 PM 4/2/2009, you wrote:
>Personally I wouldn't use OpenDNS on a server (except maybe for
>squid). It's not a normal DNS server, it does things that are aimed at
>browsers like spelling correction, and redirecting failures to it's own
>web servers. The latter presumably breaks the NO_DNS_FOR_FROM test,
>and I wouldn't be surprised if other tests are affected too.
Agreed. Bad idea.
One of our corporate customers for some reason wanted an opendns
server configured at their office, in addition to their dns servers.
They called when people weren't able to VPN using a Non FQDN (which
internally resolves on their dns - ie "eastcoast.home".
I logged into our server, and saw the OpenDNS was resolving
EVERYTHING - blah.blah , nothing.nothing, etc.
Sorry, OpenDNS had to go.
Re: OpenDNS and Spamassassin
Posted by RW <rw...@googlemail.com>.
On Thu, 2 Apr 2009 21:34:26 +0100
"Mike Bostock" <sp...@yew-tree.co.uk> wrote:
> Since starting to use OpenDNS and using their servers as forwarders
> for my server at home I am seeing loads of this below in the logs.
>
> named[]: unexpected RCODE (SERVFAIL) resolving
> 'btinternet.com.multi.uribl.com/A/IN': 208.67.220.220#53
>
> I am assuming it is SpamAssassin causing this but I could be wrong.
Personally I wouldn't use OpenDNS on a server (except maybe for
squid). It's not a normal DNS server, it does things that are aimed at
browsers like spelling correction, and redirecting failures to it's own
web servers. The latter presumably breaks the NO_DNS_FOR_FROM test,
and I wouldn't be surprised if other tests are affected too.