You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Michelle Konzack <li...@tamay-dogan.net> on 2011/04/26 01:24:49 UTC
How to prevent SA to make as112 calls?
Hi *,
since I use a "Vodafone Easybox 803A" I have encountered, that SA is
making of several 1000 as112¹ calls per day...
My Intranet use <192.168.0.*> and <*.private.tamay-dogan.net> and work
correctly, since ages but can someone give me tips how to stop SA to
check for private IP's?
¹ <http://public.as112.net/>
Thanks, Greetings and nice Day/Evening
Michelle Konzack
--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
itsystems@tdnet France EURL itsystems@tdnet UG (limited liability)
Owner Michelle Konzack Owner Michelle Konzack
Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix
<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>
Jabber linux4michelle@jabber.ccc.de
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Re: How to prevent SA to make as112 calls?
Posted by SM <sm...@resistor.net>.
At 05:09 28-04-2011, Michelle Konzack wrote:
>It has nothing to do with my Mailserver, because SA makes the requests
>to other DNS servers and then I get the UDP-Flood alarm...
See http://tools.ietf.org/html/draft-ietf-dnsop-as112-under-attack-help-help-05
>04/24/2011 23:52:56 **UDP flood** 192.168.0.69, 17549->>
>173.45.100.146, 53 (from COM1 Outbound)
You can create the zones mentioned in
http://tools.ietf.org/html/draft-ietf-dnsop-default-local-zones-15
Regards,
-sm
Re: How to prevent SA to make as112 calls?
Posted by Michelle Konzack <li...@tamay-dogan.net>.
Hello Niamh Holding,
Am 2011-04-28 07:08:54, hacktest Du folgendes herunter:
> Don't you want to trust back to 78.47.247.21 and no further?
It has nothing to do with my Mailserver, because SA makes the requests
to other DNS servers and then I get the UDP-Flood alarm...
04/24/2011 23:52:56 **UDP flood** 192.168.0.69, 17549->> 173.45.100.146, 53 (from COM1 Outbound)
04/24/2011 23:53:26 SMTP> Succeed in sending alert mail.
04/24/2011 23:54:22 **UDP Flood Stop**
04/24/2011 23:54:52 SMTP> Succeed in sending alert mail.
<snip>
04/26/2011 18:57:04 **UDP flood** 192.168.0.69, 22425->> 84.53.146.21, 53 (from COM1 Outbound)
04/26/2011 18:57:06 **UDP flood** 192.168.0.69, 24812->> 216.239.38.10, 53 (from COM1 Outbound)
04/26/2011 18:57:08 **UDP flood** 192.168.0.69, 37682->> 80.157.149.228, 53 (from COM1 Outbound)
04/26/2011 18:57:10 **UDP Flood Stop** (from COM1 Outbound)
04/26/2011 18:57:34 SMTP> Succeed in sending alert mail.
04/26/2011 18:58:04 SMTP> Succeed in sending alert mail.
04/26/2011 18:58:34 SMTP> Succeed in sending alert mail.
04/26/2011 18:59:05 SMTP> Succeed in sending alert mail.
And the weird thing is, I was at a friend with my second "EasyBox 803 A"
and it has the same problem here... But now we disconnect the USB-GSM-
Stick and pluged in the ISDN/ADSL line and now the UDP-Foods are gone.
Which mean, it must have something to do with the private IP Address
range <10.x.y.z> from Telefonica/O2, because on ADSL I have a public IP.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
itsystems@tdnet France EURL itsystems@tdnet UG (limited liability)
Owner Michelle Konzack Owner Michelle Konzack
Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix
<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>
Jabber linux4michelle@jabber.ccc.de
ICQ #328449886
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Re: How to prevent SA to make as112 calls?
Posted by Niamh Holding <ni...@fullbore.co.uk>.
Hello Michelle,
Thursday, April 28, 2011, 5:29:09 AM, you wrote:
MK> I do not know whether I should do this, because the 10.x.y.z comes from
MK> my ISP (Telefonica/O2) and from the view of my network, it is OUTSIDE.
Don't you want to trust back to 78.47.247.21 and no further?
--
Best regards,
Niamh mailto:niamh@fullbore.co.uk
Re: How to prevent SA to make as112 calls?
Posted by Per Jessen <pe...@computer.org>.
Michelle Konzack wrote:
> The request was made on my Workstation <192.168.0.91> where the NS
> is <192.168.0.74>. So, from the AUTHORITY SECTION I can see, my NS
> server has asked the Internet (as a forwarder) and the response came
> from the server <prisoner.iana.org> which is a part of the AS112
> project.
>
> Blocking anything except <192.168.0>, <192.168.1> and <192.168.2>
> would mean I have to setup blocks on 1000th of subnets...
Surely someone has already suggested you run a local nameserver as
authoritative for the rfc1918 networks? I agree that it has to be
possible to stop SA (or whoever it is) from making those lookups, but
until you've cured the problem, a local authoritative nameserver will
at least deal with the symptoms.
/Per Jessen, Zürich
Re: How to prevent SA to make as112 calls?
Posted by Michelle Konzack <li...@tamay-dogan.net>.
Hello Martin Gregorie,
Am 2011-04-28 19:35:18, hacktest Du folgendes herunter:
> CORRECTIONS:
>
> > That looks OK. I assume you've configured the server to be authoritative
> > for the private.tamay-dogan.net domain, in which case:
> >
> > a) requests for unknown host names will be rejected immediately as
> > 'unknown'
----[ command 'dig ANY dns.private.tamay-dogan.net' ]----------
dns.private.tamay-dogan.net. 14400 IN A 192.168.0.74
dns.private.tamay-dogan.net. 14400 IN RRSIG A 5 4 14400 20110517193357 20110417193357 47103 private.tamay-dogan.net. FPdc7WqUMorG6dmXcQk4MqYoMYuJ9U7he1njvlmBvMYNmC0NIU2MtuYg aUNihHnNPZv4ZBA2+FyEaSM5AqWMQXX6botpdBrxgHewG6wVSCXaYdks XdL4udOeIWYBaHk6INHhz5Xr/FDFUKg5xg81xuShpp5ivte0dTwiKfyt 4BM=
dns.private.tamay-dogan.net. 86400 IN NSEC easybox.private.tamay-dogan.net. A RRSIG NSEC
dns.private.tamay-dogan.net. 86400 IN RRSIG NSEC 5 4 86400 20110517193357 20110417193357 47103 private.tamay-dogan.net. ii4Ev9wmqiKJV+zGD3rMZ0nzjh4OauxswC9qnAFgdPRyL12EszGkDW6j kxU/SNFoK1T6F2ojNOCVJjLDPjV3/yrVlKoWeB1EJZZFyzafXF3bKBYi WHlGaBiIX3Sf3c2d4pAYShwK1rBIiUyEvlcBVMRGNUshVdqscyRsacI+ bcQ=
private.tamay-dogan.net. 3600 IN NS dns.private.tamay-dogan.net.
real 0m0.019s
user 0m0.004s
sys 0m0.008s
------------------------------------------------------------------------
----[ command 'dig ANY spamassassin.private.tamay-dogan.net' ]----------
private.tamay-dogan.net. 3600 IN SOA dns1.tamay-dogan.net. hostmaster.tamay-dogan.net. 1303072426 10800 3600 604800 86400
real 0m0.020s
user 0m0.012s
sys 0m0.000s
------------------------------------------------------------------------
----[ command 'dig ANY spamassassin.tamay-dogan.net' ]------------------
tamay-dogan.net. 3600 IN SOA dns1.tamay-dogan.net. hostmaster.tamay-dogan.net. 1303072426 10800 3600 604800 86400
real 0m0.022s
user 0m0.000s
sys 0m0.008s
------------------------------------------------------------------------
----[ command 'time dig ANY spamer.foo.net' ]---------------------------
spamer.foobar.net. 300 IN A 208.87.32.68
foobar.net. 172799 IN NS ns1.hostingnet.com.
foobar.net. 172799 IN NS ns2.hostingnet.com.
ns1.hostingnet.com. 3600 IN A 208.87.32.72
ns2.hostingnet.com. 3600 IN A 64.69.82.199
real 0m0.976s
user 0m0.000s
sys 0m0.016s
------------------------------------------------------------------------
> > b) requests for unknown IPs in outside subnet 0 will be rejected
> ^^^^^^^
> > immediately as 'unreachable'
----[ command 'time dig +all -x 192.168.5.5' ]--------------------------
; <<>> DiG 9.6-ESV-R4 <<>> ANY +all -x 192.168.5.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37973
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;5.5.168.192.in-addr.arpa. IN ANY
;; AUTHORITY SECTION:
168.192.in-addr.arpa. 37 IN SOA prisoner.iana.org. hostmaster.root-servers.org. 2008072202 21600 3600 1209600 86400
;; Query time: 0 msec
;; SERVER: 192.168.0.74#53(192.168.0.74)
;; WHEN: Fri Apr 29 18:27:41 2011
;; MSG SIZE rcvd: 119
real 0m0.022s
user 0m0.008s
sys 0m0.008s
------------------------------------------------------------------------
Oops?
The request was made on my Workstation <192.168.0.91> where the NS is
<192.168.0.74>. So, from the AUTHORITY SECTION I can see, my NS server
has asked the Internet (as a forwarder) and the response came from the
server <prisoner.iana.org> which is a part of the AS112 project.
Blocking anything except <192.168.0>, <192.168.1> and <192.168.2> would
mean I have to setup blocks on 1000th of subnets...
> > c) BUT requests for unknown IPs in subnet 0 or for valid hostnames
> > where the machine is turned off will cause an anycast to be sent
> > out and will only be rejected when the request times out.
> > The default timeout for my (Linux) ping is 3 seconds.
Unknown IP:
----[ command 'time dig +all -x 192.168.0.5' ]--------------------------
; <<>> DiG 9.6-ESV-R4 <<>> ANY +all -x 192.168.0.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49770
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;5.0.168.192.in-addr.arpa. IN ANY
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 38400 IN SOA dns.private.tamay-dogan.net. hostmaster.tamay-dogan.net. 1303058100 10800 3600 604800 86400
;; Query time: 1 msec
;; SERVER: 192.168.0.74#53(192.168.0.74)
;; WHEN: Fri Apr 29 18:38:27 2011
;; MSG SIZE rcvd: 116
real 0m0.030s
user 0m0.012s
sys 0m0.000s
------------------------------------------------------------------------
valid hostname where the machine is turned off:
----[ command 'dig ANY +all acc336.private.tamay-dogan.net' ]-----------
; <<>> DiG 9.6-ESV-R4 <<>> ANY +all acc336.private.tamay-dogan.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8923
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;acc336.private.tamay-dogan.net. IN ANY
;; ANSWER SECTION:
acc336.private.tamay-dogan.net. 14400 IN A 192.168.0.81
acc336.private.tamay-dogan.net. 14400 IN RRSIG A 5 4 14400 20110517193357 20110417193357 47103 private.tamay-dogan.net. ZlcYlGlrc4Bmy2Ci3CJI3UHGXnKvjuKPdAN7+nw/x7BnDjSTOjA/GkZt nFIXIziuGYgTJFDMR7puAEjMwwfLBZn0unmyxhq9UYP4sSTANN1bUd8I SbC8wBfjgJonTNp9ZZucWxjwTuGyeHYqFoDwCUCYngSH8JQ5Em6zTCvg +3Q=
acc336.private.tamay-dogan.net. 86400 IN NSEC acc576.private.tamay-dogan.net. A RRSIG NSEC
acc336.private.tamay-dogan.net. 86400 IN RRSIG NSEC 5 4 86400 20110517193357 20110417193357 47103 private.tamay-dogan.net. IIyjMp2O2iB9xlIUdQ+RXWLs4UVbqkxwTn4sazOcbEpr6AVUe0X78uu8 91htt42wF8A1zcy+WCINisSHA/eF1haIPHQnNH+nfy/rfU6Nan6P9WKV Bt2Ho1x6V6qGOe9Zsxte3WPDPdP6ITsnhf0Q8IFHIgZXoaEsCusiTpcT oBs=
;; AUTHORITY SECTION:
private.tamay-dogan.net. 3600 IN NS dns.private.tamay-dogan.net.
;; Query time: 1 msec
;; SERVER: 192.168.0.74#53(192.168.0.74)
;; WHEN: Fri Apr 29 18:36:28 2011
;; MSG SIZE rcvd: 500
real 0m0.028s
user 0m0.004s
sys 0m0.008s
------------------------------------------------------------------------
> Martin
Thanks for your help...
Michelle Konzack
--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
itsystems@tdnet France EURL itsystems@tdnet UG (limited liability)
Owner Michelle Konzack Owner Michelle Konzack
Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +49-176-86004575 office
<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>
Jabber linux4michelle@jabber.ccc.de
ICQ #328449886
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Re: How to prevent SA to make as112 calls?
Posted by Martin Gregorie <ma...@gregorie.org>.
CORRECTIONS:
> That looks OK. I assume you've configured the server to be authoritative
> for the private.tamay-dogan.net domain, in which case:
>
> a) requests for unknown host names will be rejected immediately as
> 'unknown'
>
> b) requests for unknown IPs in outside subnet 0 will be rejected
^^^^^^^
> immediately as 'unreachable'
>
> c) BUT requests for unknown IPs in subnet 0 or for valid hostnames
> where the machine is turned off will cause an anycast to be sent
> out and will only be rejected when the request times out.
> The default timeout for my (Linux) ping is 3 seconds.
>
Martin
Re: How to prevent SA to make as112 calls?
Posted by Martin Gregorie <ma...@gregorie.org>.
On Thu, 2011-04-28 at 06:29 +0200, Michelle Konzack wrote:
> Hello Martin Gregorie,
>
> Am 2011-04-26 23:59:23, hacktest Du folgendes herunter:
> > Now I'm confused. AFAIK SA doesn't have any connection with AS112
> > lookups as either client or server - unless there's a plugin that hasn't
> > been mentioned on this list since I joined. If I'm wrong about this I
> > expect somebody will speak up and correct me....
>
I've looked a little more into this and made this note for myself: The
AS112 Project (The Nameservers at the End of the Universe) is intended
to provide a clean, well defined destination for DNS queries concerning
RFC1918 and other DSUA networks. The intention seems to be to intercept
and reply to the anycasts that originate from a local DNS when it is
sent a request for the IP of a valid name that happens to be offline or
outside the private RFC1918 network. The intention is to prevent these
requests from flooding out onto the wider internet.
Its quite easy to see this traffic with Wireshark: just send a request
to your local DNS server for the IP of a host that is either turned off
or has a valid A record but doesn't exist. The DNS realises its been
sent a valid request that it can't answer, so it slaps an anycast out to
the net asking who recognises this name and/or IP. Running 'ping -c1
hostname' is a good trigger to show this behaviour.
If your router has an AS122 server in it but is still letting anycasts
asking about RFC1918 IPs such as 192.168.x.y or 10.x.y.z than its either
disabled or misconfigured.
> Hmm, there are some enterprises or such which are checking ALL Received:
> headers using spamassassin instead of checking the most recent SMTPRelay
> and the are bouncing my messages because I send my messages over my
> intranet server to my SMTP-Relay
>
> 192.168.0.91 Workstation
> 192.168.0.69 Intranet Server
> 78.47.247.21 Mail-Relay
> x.y.z.n some_other_destination_server
>
> and if I send the mail like
>
> 192.168.0.91 Workstation
> 78.47.247.21 Mail-Relay
> x.y.z.n some_other_destination_server
>
> then it works. And it is definitively spamassassin which score my mail
> VERY high which lead to rejecting my messages.
>
It sounds like 192.168.0.69 isn't in your trusted_networks list and
should be.
> Since not all incoming messages (I use fetchmail have this as112 problm)
>
I also work this way except that I use getmail to read mail from the
POP3 server (my ISP's mailserver).
I use getmail in place of fetchmail because I got tired of the fetchmail
bug that causes a list of unread messages to build up on the POP3 server
(I configure it to delete all messages at the end of each fetch session
and to ignore messages that have been read). I configure getmail the
same way and don't see any problems with it......
I added the POP3 server to my trusted_networks list to prevent some FPs.
However, the mail redirection server run by my domain host, which
redirects mail to my ISP's mail server, is not on my trusted_networks
list and doesn't need to be.
> Since the UDP-Synflood mail claim, it comes from 192.168.0.69 requesting
> port 53, it can ony be spamassassin, because there no other tools making
> such requests.
>
Agreed - those are DNS lookups, probably caused by SA querying UBL
lists. Only Wireshark or another TCP packet monitor can tell you that
for sure.
> No, because to install an AS112 server you need a BGA-Router like quaga
> which I do not have on my GSM connection.
>
I thought you said there is one in your Vodafone EasyBox? As I asked
above, are you sure that server is configured correctly and enabled? DNS
queries for RFC1918 networks (in your case 10.x.y.z and 192.168.x.y IP
addresses) should never travel out of your network since they have no
meaning outside it.
> > I meant just to make sure that all IPs that you consider part of your
> > intranet are in zone files on your internal DNS (192.168.0.74) and to
>
> I have the full zome here like:
>
That looks OK. I assume you've configured the server to be authoritative
for the private.tamay-dogan.net domain, in which case:
a) requests for unknown host names will be rejected immediately as
'unknown'
b) requests for unknown IPs in subnet 0 will be rejected immediately as
'unreachable'
c) BUT requests for unknown IPs in subnet 0 or for valid hostnames
where the machine is turned off will cause an anycast to be sent
out and will only be rejected when the request times out.
The default timeout for my (Linux) ping is 3 seconds.
Case C is one where an operating AS112 server in your router should
prevent the anycasts from leaving your intranet and will increase
throughput by eliminating the timeout.
> I do this for exactly the same reason... OK, I have 12 servers and
> 3 workstations here, but /etc/hosts is no option.
>
Agreed - I don't think its an option with more than two hosts on a
network.
> I do not know whether I should do this, because the 10.x.y.z comes from
> my ISP (Telefonica/O2) and from the view of my network, it is OUTSIDE.
>
I'm only suggesting that the gateway, 10.165.11.117, should be added to
trusted_networks in the same way that I added my ISP's mail host to my
list. Of course you should monitor for increased spam if you do it,
because I don't understand your network....
Martin
Re: How to prevent SA to make as112 calls?
Posted by Benny Pedersen <me...@junc.org>.
On Thu, 28 Apr 2011 06:29:09 +0200, Michelle Konzack
<li...@tamay-dogan.net> wrote:
> 192.168.0.91 Workstation
> 192.168.0.69 Intranet Server
> 78.47.247.21 Mail-Relay
> x.y.z.n some_other_destination_server
fqdn first, non fqdn host last
127.0.0.1 localhost.localdomain localhost
not as this
127.0.0.1 localhost foo bar
> 192.168.0.91 Workstation
> 78.47.247.21 Mail-Relay
> x.y.z.n some_other_destination_server
>
> then it works. And it is definitively spamassassin which score my mail
> VERY high which lead to rejecting my messages.
checking if rfc1918 ips is blacklisted on rbl is waste of cpu time :)
Re: How to prevent SA to make as112 calls?
Posted by Michelle Konzack <li...@tamay-dogan.net>.
Hello Martin Gregorie,
Am 2011-04-26 23:59:23, hacktest Du folgendes herunter:
> Now I'm confused. AFAIK SA doesn't have any connection with AS112
> lookups as either client or server - unless there's a plugin that hasn't
> been mentioned on this list since I joined. If I'm wrong about this I
> expect somebody will speak up and correct me....
Hmm, there are some enterprises or such which are checking ALL Received:
headers using spamassassin instead of checking the most recent SMTPRelay
and the are bouncing my messages because I send my messages over my
intranet server to my SMTP-Relay
192.168.0.91 Workstation
192.168.0.69 Intranet Server
78.47.247.21 Mail-Relay
x.y.z.n some_other_destination_server
and if I send the mail like
192.168.0.91 Workstation
78.47.247.21 Mail-Relay
x.y.z.n some_other_destination_server
then it works. And it is definitively spamassassin which score my mail
VERY high which lead to rejecting my messages.
Since not all incoming messages (I use fetchmail have this as112 problm)
I see, that the message triggering the UDP-Flooding allert are send like
my messages from a network with an internal Mail-Server. So, the UDP-
Synflood is trigered by
10.a.b.c some_workstation
10.d.e.f some_other_sending_server
w.x.y.z PUBLIC_MAIL_RELAY
78.47.247.21 mail.tamay-dogan.net
fetchmail
procmail
spamassassin
192.168.0.69 Intranet Server
Which mean, MY spamassassin is trying to resolv something which can not
resolved instead of resolving <w.x.y.z> only.
> If SA is involved I'd expect that means that your 'trusted_networks'
> list is missing an entry. Should 10.165.11.117 be included in the
> 'trusted_networks' list?
This does not work, because I get spam origination from private IPs like
the schematic above.
> Can you look at logs and/or run Wireshark to verify that (a) your system
> is generating AS112 messages and, if it is generating them,
I will check this...
> (b) see
> where they are coming from? If this traffic is due to SA doing UBL
> lookups, Wireshark should soon show that's the case.
Since the UDP-Synflood mail claim, it comes from 192.168.0.69 requesting
port 53, it can ony be spamassassin, because there no other tools making
such requests. OK courier-mta is installed to and send messages, but I
suspect it is courier-mta.
> > Note 1: It was someone who told me ist is "as112" flooding
> Does this mean that there may not be an AS112 server anywhere in your
> intranet?
No, because to install an AS112 server you need a BGA-Router like quaga
which I do not have on my GSM connection.
> I meant just to make sure that all IPs that you consider part of your
> intranet are in zone files on your internal DNS (192.168.0.74) and to
I have the full zome here like:
[michelle.konzack@michelle1:~] dig ANY samba3.private.tamay-dogan.net @dns.private.tamay-dogan.net
;; Truncated, retrying in TCP mode.
samba3.private.tamay-dogan.net. 14400 IN A 192.168.0.69
samba3.private.tamay-dogan.net. 14400 IN RRSIG A 5 4 14400 20110517193357 20110417193357 47103 private.tamay-dogan.net. 232IGPI2+iY4EJxDZ510rClcIw6jJvyq7Bqs7Rf33PeayvcezVbiuRTY cZtJtykajeEj9tFYgnvYRu1gRhBPC7Gky8a5IEx2FbfpoZMdV72bMOoz RLYzghlmVv22PIR5PSZbUwwviktHj2YnDHYxebIYYzsxsK+0u7p2oK5a /EU=
samba3.private.tamay-dogan.net. 14400 IN TXT "Home\; 17 GByte left"
samba3.private.tamay-dogan.net. 14400 IN RRSIG TXT 5 4 14400 20110517193357 20110417193357 47103 private.tamay-dogan.net. hAp4yL08LVy9er1tzu1/FVvepclLBThvo7y77uANPRYj4qW6vn76vwAs relBx+T5abj1l/C/NGXaffZWUMResVRbCIHrnkcpUH4iT4pyDOJregW5 PM90TTxsctrh8gIMMuwYWR2zCcBzcYc41ju1f5cvGoc+XCadoCuNHOOo eMk=
samba3.private.tamay-dogan.net. 86400 IN NSEC syslog.private.tamay-dogan.net. A TXT RRSIG NSEC
samba3.private.tamay-dogan.net. 86400 IN RRSIG NSEC 5 4 86400 20110517193357 20110417193357 47103 private.tamay-dogan.net. QDngx6RhADo1rab2/7SSJR9wgdy+eHCZeEWGtbGufQrAI799o0xuxyFs gzcLw8zdTkhXR6n/ySollmXBnuGBkZtiyKMVIPU8WfaxFFDwKajZG/m8 f7gbZfG/XzuzpYQJEOIfvehHE2e9bCzuFfczKa9sws0plf9ZPurrSH9U 3pM=
private.tamay-dogan.net. 3600 IN NS dns.private.tamay-dogan.net.
dns.private.tamay-dogan.net. 14400 IN A 192.168.0.74
[michelle.konzack@michelle1:~] dig ANY -x 192.168.0.69
69.0.168.192.in-addr.arpa. 38400 IN PTR samba3.private.tamay-dogan.net.
0.168.192.in-addr.arpa. 38400 IN NS dns.private.tamay-dogan.net.
dns.private.tamay-dogan.net. 14400 IN A 192.168.0.74
as you can see, even DNSSEC is working properly.
> add any that are missing. I do exactly that because I find it easier to
> maintain one zone file on a local DNS than to fiddle with dynamic
> addressing or to maintain /etc/hosts files for the various boxes on my
> fairly small network, not to mention boxes that don't have accessible
> host files, e.g. my SB Touch.
I do this for exactly the same reason... OK, I have 12 servers and
3 workstations here, but /etc/hosts is no option.
> However, as changing SA's trusted_networks list is easier to do, I'd try
> that first.
I do not know whether I should do this, because the 10.x.y.z comes from
my ISP (Telefonica/O2) and from the view of my network, it is OUTSIDE.
> Martin
Thanks, Greetings and nice Day/Evening
Michelle Konzack
--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
itsystems@tdnet France EURL itsystems@tdnet UG (limited liability)
Owner Michelle Konzack Owner Michelle Konzack
Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix
<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>
Jabber linux4michelle@jabber.ccc.de
ICQ #328449886
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Re: How to prevent SA to make as112 calls?
Posted by Martin Gregorie <ma...@gregorie.org>.
On Tue, 2011-04-26 at 20:23 +0200, Michelle Konzack wrote:
> This problem started, when I switched from DSL to GSM Service where in
> GSM I have an IP <10.x.y.z>. It seems, that spamassassin is confused
> because I have a NS master <private.tamay-dogan.net> and a forwarder and
> now traffic is not ending ina publich dynamic IP but another private one
>
Now I'm confused. AFAIK SA doesn't have any connection with AS112
lookups as either client or server - unless there's a plugin that hasn't
been mentioned on this list since I joined. If I'm wrong about this I
expect somebody will speak up and correct me....
If SA is involved I'd expect that means that your 'trusted_networks'
list is missing an entry. Should 10.165.11.117 be included in the
'trusted_networks' list?
Can you look at logs and/or run Wireshark to verify that (a) your system
is generating AS112 messages and, if it is generating them, (b) see
where they are coming from? If this traffic is due to SA doing UBL
lookups, Wireshark should soon show that's the case.
> UMTS: Verbunden
> Netzbetreiber: o2 - de
> Signal: UMTS (Gut)
> WAN IP: 10.165.11.117
> Subnetzmaske: 255.255.255.255
> Gateway: 10.165.11.117
> Primärer DNS: 192.168.0.74
> Sekundärer DNS: 217.47.247.21
>
>
> Note 1: It was someone who told me ist is "as112" flooding
>
Does this mean that there may not be an AS112 server anywhere in your
intranet?
> But if I change the two DNS to 0.0.0.0 I will get the one of my provider
> which are crap...
>
I didn't mean that drastic a change!
I meant just to make sure that all IPs that you consider part of your
intranet are in zone files on your internal DNS (192.168.0.74) and to
add any that are missing. I do exactly that because I find it easier to
maintain one zone file on a local DNS than to fiddle with dynamic
addressing or to maintain /etc/hosts files for the various boxes on my
fairly small network, not to mention boxes that don't have accessible
host files, e.g. my SB Touch.
However, as changing SA's trusted_networks list is easier to do, I'd try
that first.
Martin
Re: How to prevent SA to make as112 calls?
Posted by Michelle Konzack <li...@tamay-dogan.net>.
Hello Martin Gregorie,
Am 2011-04-26 10:44:13, hacktest Du folgendes herunter:
> How is the AS112 server in your Easybox configured? Can you configure it
> to turn your local intranet addresses into local loopbacks?
This problem started, when I switched from DSL to GSM Service where in
GSM I have an IP <10.x.y.z>. It seems, that spamassassin is confused
because I have a NS master <private.tamay-dogan.net> and a forwarder and
now traffic is not ending ina publich dynamic IP but another private one
UMTS: Verbunden
Netzbetreiber: o2 - de
Signal: UMTS (Gut)
WAN IP: 10.165.11.117
Subnetzmaske: 255.255.255.255
Gateway: 10.165.11.117
Primärer DNS: 192.168.0.74
Sekundärer DNS: 217.47.247.21
Note 1: It was someone who told me ist is "as112" flooding
Note 2: <192.168.0.69> is the Intranet Server and <192.168.0.74> is
my private DNS which run currently on the same host because
a broken server. Also <192.168.0.74> is the MASTER for my
<dns1.tamay-dogan.net> plus <dns2> and <dns3>.
> >From a quick scan of that website I'd guess that the AS112 server in the
> Easybox has no 'local loopbacks' configured and so is defaulting to
> sending lookups on them to the AS112 project's servers.
>
> I wonder, too, if you could short-circuit the Easybox AS112 server by
> running your own internal caching DNS server (using bind 8 or 9) and
> configuring it to be authoritative for all valid Intranet addresses.
> There is a suggestion on the AS112 project website that this is a good
> thing to do.
But if I change the two DNS to 0.0.0.0 I will get the one of my provider
which are crap...
> Martin
Thanks, Greetings and nice Day/Evening
Michelle Konzack
--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
itsystems@tdnet France EURL itsystems@tdnet UG (limited liability)
Owner Michelle Konzack Owner Michelle Konzack
Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix
<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>
Jabber linux4michelle@jabber.ccc.de
ICQ #328449886
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Re: How to prevent SA to make as112 calls?
Posted by Martin Gregorie <ma...@gregorie.org>.
On Tue, 2011-04-26 at 01:24 +0200, Michelle Konzack wrote:
> Hi *,
>
> since I use a "Vodafone Easybox 803A" I have encountered, that SA is
> making of several 1000 as112¹ calls per day...
>
> My Intranet use <192.168.0.*> and <*.private.tamay-dogan.net> and work
> correctly, since ages but can someone give me tips how to stop SA to
> check for private IP's?
>
> ¹ <http://public.as112.net/>
>
How is the AS112 server in your Easybox configured? Can you configure it
to turn your local intranet addresses into local loopbacks?
>From a quick scan of that website I'd guess that the AS112 server in the
Easybox has no 'local loopbacks' configured and so is defaulting to
sending lookups on them to the AS112 project's servers.
I wonder, too, if you could short-circuit the Easybox AS112 server by
running your own internal caching DNS server (using bind 8 or 9) and
configuring it to be authoritative for all valid Intranet addresses.
There is a suggestion on the AS112 project website that this is a good
thing to do.
Martin
Re: How to prevent SA to make as112 calls?
Posted by Benny Pedersen <me...@junc.org>.
On Tue, 26 Apr 2011 01:24:49 +0200, Michelle Konzack
<li...@tamay-dogan.net> wrote:
> since I use a "Vodafone Easybox 803A" I have encountered, that SA is
> making of several 1000 as112¹ calls per day...
sa call on mobile phone ?
> My Intranet use <192.168.0.*> and <*.private.tamay-dogan.net> and work
> correctly, since ages but can someone give me tips how to stop SA to
> check for private IP's?
trusted_networks 10.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16
i am unsure about ipv6, could test it on my ipv6 host later
> ¹ <http://public.as112.net/>
sa wont care :)
as i read the page you like to have local cached dns rbl while testing
emails with spamassassin and still have dial on demand keep it offline ?
if thats the case you need to debug dns to see what trigger online requsts
tp have such dna in rsync access lists, so rbl check does not need online
mode
rndc querylog