OpenDNS and Spamassassin

[Mike Bostock <sp...@yew-tree.co.uk>]

Since starting to use OpenDNS and using their servers as forwarders for my
server at home I am seeing loads of this below in the logs.

named[]: unexpected RCODE (SERVFAIL) resolving
'btinternet.com.multi.uribl.com/A/IN': 208.67.220.220#53

I am assuming it is SpamAssassin causing this but I could be wrong.

If anyone can point me in the direction of some assistance I would be very
grateful.

-- 
Mike

Re: OpenDNS and Spamassassin

[Jari Fredriksson <ja...@iki.fi>]

> On 4/2/2009 10:34 PM, Mike Bostock wrote:
>> 
>> If anyone can point me in the direction of some
>> assistance I would be very grateful.
>> 
> 
> http://forums.opendns.com/comments.php?DiscussionID=3423&page=1

http://www.opendns.com/support/article/33

Re: FW: OpenDNS and Spamassassin

[Rob McEwen <ro...@invaluement.com>]

Michael Scheidell wrote:
> Uribl should probaly get an rsync of the zones, if they are doing 50mm
> queries a day, imagine what will hit urlbl servers directly, since opendns
> caches the queries.
>
> (I think a opendns does this with some of the more popular zones anyway)
> This would be good for opendns and urlbl

I can't speak for uribl, but I do have first hand evidence that many
quickly try to use OpenDNS as a means to get around paying subscriptions
to commercial DNSBLs, or partly commercial DNSBLs. (I highly doubt that
very much of this is from sys admins who happened to already use OpenDNS
and then tried out uribl.)

Therefore, if URIBL provided OpenDNS an rsync feed, three things would
happen:

(1) MANY ISPs and spam filtering vendors would flock to it to avoid
having to pay for a URIBL data feed

(2) MUCH of uribl's current revenue would dry up, making the long-term
viability of uribl more 'at risk'

(3) Finally, OpenDNS would get so massively slammed with queries in a
way that does NOT generate revenue for OpenDNS... only more expense,
more servers to manage, and more bandwidth... such that THEY would be
the ones shutting this down (eventually)

Therefore, the best solution is for OpenDNS to simply cut these queries
off "in house" before they even have a chance of hitting URIBL, thus
saving them and URIBL some CPU cycles and bandwidth (I'd bet that this
is already happening)

-- 
Rob McEwen
http://dnsbl.invaluement.com/
rob@invaluement.com
+1 (478) 475-9032

FW: OpenDNS and Spamassassin

[Michael Scheidell <sc...@secnap.net>]

> 
> http://forums.opendns.com/comments.php?DiscussionID=3423&page=1
> 

>> 
Uribl should probaly get an rsync of the zones, if they are doing 50mm
queries a day, imagine what will hit urlbl servers directly, since opendns
caches the queries.

(I think a opendns does this with some of the more popular zones anyway)

This would be good for opendns and urlbl

-- 
Michael Scheidell, CTO
>|SECNAP Network Security
Finalist 2009 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer


------ End of Forwarded Message

_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________

Re: OpenDNS and Spamassassin

[Yet Another Ninja <sa...@alexb.ch>]

On 4/2/2009 10:34 PM, Mike Bostock wrote:
> Since starting to use OpenDNS and using their servers as forwarders for my
> server at home I am seeing loads of this below in the logs.
> 
> named[]: unexpected RCODE (SERVFAIL) resolving
> 'btinternet.com.multi.uribl.com/A/IN': 208.67.220.220#53
> 
> I am assuming it is SpamAssassin causing this but I could be wrong.
> 
> If anyone can point me in the direction of some assistance I would be very
> grateful.
> 

http://forums.opendns.com/comments.php?DiscussionID=3423&page=1

Re: OpenDNS and Spamassassin

[Raymond Dijkxhoorn <ra...@prolocation.net>]

Hi!

>> Personally I wouldn't use OpenDNS on a server (except maybe for
>> squid). It's not a normal DNS server, it does things that are aimed at
>> browsers like spelling correction, and redirecting failures to it's own
>> web servers. The latter presumably breaks the NO_DNS_FOR_FROM test,
>> and I wouldn't be surprised if other tests are affected too.

> While this is generally true of most DNS services LIKE OpenDNS, OpenDNS 
> itself is pretty clueful. Unlike the people at uribl...
>
> "onoes, we're getting 50 million hits a day from openDNS, let's block them, 
> annoy all their users, and not reduce our hits at all because people will 
> simply reconfigure to hit us directly instead of via OpenDNS. But at least 
> those 50 million hits will be over slower links, and consume more of our 
> resources.  yeah, that's a GREAT idea."
>
> Or am I wrong?  I could be wrong.

Yes you are and think twice before posting a statement like this. It 
doesnt make you look smart judging about things you have no clue about at 
all. Things like this dont fall out of the sky just like that, most likely 
there is a history.

More RBL providers are talking about this with OpenDNS and yes many large 
company's try to walk around RBL policy's and switch to OpenDNS and this 
is one of the reasons they are blocked by not only URIBL but several RBL 
providers. We (SURBL) have the same issues and are talking in depth with 
OpenDNS to get this resolved.

I feel sorry for you if you start shouting around people at URIBL are not 
cluefull, this is your problem and i dont share this with you.

Knowing you and seeing what you do on mailingists this will most likely 
turn out in a neverending thread. Bare you, this is a one time post. I 
have said what i wanted. No need to argue about it.

Bye,
Raymond.

Re: OpenDNS and Spamassassin

[Benny Pedersen <me...@junc.org>]

On Fri, April 3, 2009 02:24, LuKreme wrote:
> Or am I wrong?  I could be wrong.

Bittorrent is slow to :)

firefox with proxy to squid on a host with multi-isp uplinks is bad
also, since it just use one isp lines that are slow

dns is udp, and works very fast if one let it, what uribl can do is
to extend cache ttl if there servers cant handle the loads

-- 
http://localhost/ 100% uptime and 100% mirrored :)

Re: OpenDNS and Spamassassin

[LuKreme <kr...@kreme.com>]

On 2-Apr-2009, at 15:52, RW wrote:
> On Thu, 2 Apr 2009 21:34:26 +0100
> "Mike Bostock" <sp...@yew-tree.co.uk> wrote:
>
>> Since starting to use OpenDNS and using their servers as forwarders
>> for my server at home I am seeing loads of this below in the logs.
>>
>> named[]: unexpected RCODE (SERVFAIL) resolving
>> 'btinternet.com.multi.uribl.com/A/IN': 208.67.220.220#53
>>
>> I am assuming it is SpamAssassin causing this but I could be wrong.
>
> Personally I wouldn't use OpenDNS on a server (except maybe for
> squid). It's not a normal DNS server, it does things that are aimed at
> browsers like spelling correction, and redirecting failures to it's  
> own
> web servers. The latter presumably breaks the NO_DNS_FOR_FROM test,
> and I wouldn't be surprised if other tests are affected too.

While this is generally true of most DNS services LIKE OpenDNS,  
OpenDNS itself is pretty clueful. Unlike the people at uribl...

"onoes, we're getting 50 million hits a day from openDNS, let's block  
them, annoy all their users, and not reduce our hits at all because  
people will simply reconfigure to hit us directly instead of via  
OpenDNS. But at least those 50 million hits will be over slower links,  
and consume more of our resources.  yeah, that's a GREAT idea."

Or am I wrong?  I could be wrong.

-- 
There is NO Rule six!

Re: OpenDNS and Spamassassin

[Aaron Wolfe <aa...@gmail.com>]

On Thu, Apr 2, 2009 at 8:32 PM, LuKreme <kr...@kreme.com> wrote:
> On 2-Apr-2009, at 15:56, Evan Platt wrote:
>>
>> I logged into our server, and saw the OpenDNS was resolving EVERYTHING -
>> blah.blah , nothing.nothing, etc.
>
> This is not a OpenDNS problem, this is a problem with the know-nothing who
> set it up for their system.  I used OpenDNS for quite a while on my
> mailserver (several months) and had no such issue.
>
> Configure it right, and it works quite well, and it is VERY configurable.
>
>> Sorry, OpenDNS had to go.
>
>
> Or, you know, configured correctly.
>
> Each of these is a configuration option:
>

Trusting a critical service required by your network to a third party
who's basic business model involves tampering with that service seems
irresponsible at best.

Sure, you can disable all these "features" now, but when the
XYZfreeDNS marketing guys push for the next Big Thing to be enabled by
default, it's now your Big Problem.

DNS matters. It needs to work correctly *and* fail correctly.  I'm not
saying OpenDNS has any bad intentions, but their motivation to change
DNS behavior is pretty clear.

If your mail just isn't important then maybe it's a neat thing, but
considering how easy it is to set up a working local DNS, I just don't
see the value.

-Aaron

> Allow users to create child networks
>
> Enable stats and logs
>
> Enable typo correction
>        Exceptions for VPN users
>        Enable filtering of .cm wildcard
>
> Block internal IP addresses
>
> Apply my shortcuts to this network
>        Makes all your shortcuts work on this network, whether you're signed
> in or not.
>
> Enable OpenDNS proxy
>        Routes certain address bar requests through a simple proxy, ensuring
> that your shortcuts and other OpenDNS features always work. For more
> details, including potential privacy issues you should be aware of, read our
> KB article.
>
> Enable Botnet protection on this network
>        Blocks infected computers on your network from connecting to botnet
> central controllers. At this time, this feature blocks the Conficker virus,
> and will be expanded to include others.
>
> --
> You and me
> Sunday driving
> Not arriving
>
>

Re: OpenDNS and Spamassassin

[Evan Platt <ev...@espphotography.com>]

At 05:32 PM 4/2/2009, you wrote:
>On 2-Apr-2009, at 15:56, Evan Platt wrote:
>>I logged into our server, and saw the OpenDNS was resolving
>>EVERYTHING - blah.blah , nothing.nothing, etc.
>
>This is not a OpenDNS problem, this is a problem with the know-nothing
>who set it up for their system.  I used OpenDNS for quite a while on
>my mailserver (several months) and had no such issue.
>
>Configure it right, and it works quite well, and it is VERY
>configurable.

<Snip - configuration options>

So - which option is that? Enable typo correction ?

I don't see how resolving blah.blah to a OpenDNS IP is a typo correction.... 

Re: OpenDNS and Spamassassin

[LuKreme <kr...@kreme.com>]

On 2-Apr-2009, at 15:56, Evan Platt wrote:
> I logged into our server, and saw the OpenDNS was resolving  
> EVERYTHING - blah.blah , nothing.nothing, etc.

This is not a OpenDNS problem, this is a problem with the know-nothing  
who set it up for their system.  I used OpenDNS for quite a while on  
my mailserver (several months) and had no such issue.

Configure it right, and it works quite well, and it is VERY  
configurable.

> Sorry, OpenDNS had to go.


Or, you know, configured correctly.

Each of these is a configuration option:

Allow users to create child networks

Enable stats and logs

Enable typo correction
	Exceptions for VPN users
	Enable filtering of .cm wildcard

Block internal IP addresses

Apply my shortcuts to this network
	Makes all your shortcuts work on this network, whether you're signed  
in or not.

Enable OpenDNS proxy
	Routes certain address bar requests through a simple proxy, ensuring  
that your shortcuts and other OpenDNS features always work. For more  
details, including potential privacy issues you should be aware of,  
read our KB article.

Enable Botnet protection on this network
	Blocks infected computers on your network from connecting to botnet  
central controllers. At this time, this feature blocks the Conficker  
virus, and will be expanded to include others.

-- 
You and me
Sunday driving
Not arriving

Re: OpenDNS and Spamassassin

[John Hardin <jh...@impsec.org>]

On Thu, 2 Apr 2009, Mike Bostock wrote:

> Noted the stuff about OpenDNS being "not a proper DNS" and, as I have 
> squid set up but not in use, I may just point squid at it and go back to 
> using my ISP's DNS servers as forwarders.

You still need to keep an eye on it. Several (larger) ISPs have started 
doing the same tricks with their primary customer DNS servers. Usually 
they offer non-fscked DNS servers for clueful admins, but prying the 
address(es) of those servers out of their knowledge base or support drones 
can be a challenge.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Perfect Security and Absolute Safety are unattainable; beware
   those who would try to sell them to you, regardless of the cost,
   for they are trying to sell you your own slavery.
-----------------------------------------------------------------------
  71 days since Obama's inauguration and still no unicorn!

Re: OpenDNS and Spamassassin

[mouss <mo...@ml.netoyen.net>]

RW a écrit :
> On Fri, 3 Apr 2009 01:12:17 +0200 (CEST)
> "Benny Pedersen" <me...@junc.org> wrote:
> 
>> On Fri, April 3, 2009 00:31, Mike Bostock wrote:
>>> Noted the stuff about OpenDNS being "not a proper DNS" and, as I
>>> have squid set up but not in use, I may just point squid at it
>>> and go back to using my ISP's DNS servers as forwarders.
>> bind works better without forwarders, it common error to belive isp
>> can handle more loads and cache, but no localhost rules
> 
> Going through a forwarder cuts down the number of round trips, which
> can be a major speedup if you have poor latency. It can also insulate
> you, somewhat, from slow authoritative servers.
> 

may be. but on the other hand, attackers need to target fewer servers.
For example, the impact of cache poisoning attacks is higher at sites
that forward for many clients...

I stopped using my ISP forwarder the day it told me my IP was listed on
spamhaus. be it a bug or a cache poison, I really don't care.

and I didn't notice any performance issues after I removed the forwarder.

Re: OpenDNS and Spamassassin

[RW <rw...@googlemail.com>]

On Fri, 3 Apr 2009 01:12:17 +0200 (CEST)
"Benny Pedersen" <me...@junc.org> wrote:

> 
> On Fri, April 3, 2009 00:31, Mike Bostock wrote:
> > Noted the stuff about OpenDNS being "not a proper DNS" and, as I
> > have squid set up but not in use, I may just point squid at it
> > and go back to using my ISP's DNS servers as forwarders.
> 
> bind works better without forwarders, it common error to belive isp
> can handle more loads and cache, but no localhost rules

Going through a forwarder cuts down the number of round trips, which
can be a major speedup if you have poor latency. It can also insulate
you, somewhat, from slow authoritative servers.

Re: OpenDNS and Spamassassin

[Benny Pedersen <me...@junc.org>]

On Fri, April 3, 2009 00:31, Mike Bostock wrote:
> Noted the stuff about OpenDNS being "not a proper DNS" and, as I
> have squid set up but not in use, I may just point squid at it
> and go back to using my ISP's DNS servers as forwarders.

bind works better without forwarders, it common error to belive isp
can handle more loads and cache, but no localhost rules

-- 
http://localhost/ 100% uptime and 100% mirrored :)

Re: OpenDNS and Spamassassin

[Mike Bostock <sp...@yew-tree.co.uk>]

In your message regarding Re: OpenDNS and Spamassassin dated 02/04/2009,
Evan Platt said ...
>EP- At 02:52 PM 4/2/2009, you wrote: 
> >Personally I wouldn't use OpenDNS on a server (except maybe for 
> >squid). It's not a normal DNS server, it does things that are aimed at 
> >browsers like spelling correction, and redirecting failures to it's own 
> >web servers. The latter presumably breaks the NO_DNS_FOR_FROM test, 
> >and I wouldn't be surprised if other tests are affected too. 
 
>EP- Agreed. Bad idea. 
 
>EP- One of our corporate customers for some reason wanted an opendns  
>EP- server configured at their office, in addition to their dns servers. 
 
>EP- They called when people weren't able to VPN using a Non FQDN (which  
>EP- internally resolves on their dns - ie "eastcoast.home". 
 
>EP- I logged into our server, and saw the OpenDNS was resolving  
>EP- EVERYTHING - blah.blah , nothing.nothing, etc. 
 
>EP- Sorry, OpenDNS had to go.  


Thanks for the rapid response.  Can I send all my BIND questions here? ;-)

Thanks to especially to "Yet Another Ninja" for pointing me in exactly the
right direction.

Noted the stuff about OpenDNS being "not a proper DNS" and, as I have
squid set up but not in use, I may just point squid at it and go back to
using my ISP's DNS servers as forwarders.  

Thanks again.


-- 
Mike

Re: OpenDNS and Spamassassin

[Evan Platt <ev...@espphotography.com>]

At 02:52 PM 4/2/2009, you wrote:
>Personally I wouldn't use OpenDNS on a server (except maybe for
>squid). It's not a normal DNS server, it does things that are aimed at
>browsers like spelling correction, and redirecting failures to it's own
>web servers. The latter presumably breaks the NO_DNS_FOR_FROM test,
>and I wouldn't be surprised if other tests are affected too.

Agreed. Bad idea.

One of our corporate customers for some reason wanted an opendns 
server configured at their office, in addition to their dns servers.

They called when people weren't able to VPN using a Non FQDN (which 
internally resolves on their dns - ie "eastcoast.home".

I logged into our server, and saw the OpenDNS was resolving 
EVERYTHING - blah.blah , nothing.nothing, etc.

Sorry, OpenDNS had to go. 

Re: OpenDNS and Spamassassin

[RW <rw...@googlemail.com>]

On Thu, 2 Apr 2009 21:34:26 +0100
"Mike Bostock" <sp...@yew-tree.co.uk> wrote:

> Since starting to use OpenDNS and using their servers as forwarders
> for my server at home I am seeing loads of this below in the logs.
> 
> named[]: unexpected RCODE (SERVFAIL) resolving
> 'btinternet.com.multi.uribl.com/A/IN': 208.67.220.220#53
> 
> I am assuming it is SpamAssassin causing this but I could be wrong.

Personally I wouldn't use OpenDNS on a server (except maybe for
squid). It's not a normal DNS server, it does things that are aimed at
browsers like spelling correction, and redirecting failures to it's own
web servers. The latter presumably breaks the NO_DNS_FOR_FROM test,
and I wouldn't be surprised if other tests are affected too.