URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

Robert Kudyba
I know this has been covered before, e.g., https://lists.gt.net/spamassassin/users/198845/?page=1;mh=-1; & https://lists.gt.net/spamassassin/users/199135 as well as off list at Ubuntu at https://serverfault.com/questions/644707/uribl-blocked-on-ubuntu-14-04-server-with-working-dnsmasq. Here’s what we’re getting on 2 Fedora 25 servers:

host -tTXT test.uribl.com.multi.uribl.com
test.uribl.com.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 74.125.19.15]"
[root@storm audit]#

Note the DNS IP is a Google IP and always changes when I run the command.

I just want to make sure I’m not missing something. NetworkManager and network service are running and here you can see dnsmasq running with NM:

NetworkManager.service - Network Manager
   Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2017-05-17 17:07:27 EDT; 17h ago
     Docs: man:NetworkManager(8)
 Main PID: 24310 (NetworkManager)
    Tasks: 4 (limit: 4915)
   CGroup: /system.slice/NetworkManager.service
           ├─24310 /usr/sbin/NetworkManager --no-daemon
           └─24468 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/NetworkManager/dnsmasq.pid --listen-address=127.0.0.1 --cache-size=400 --conf-file=/dev/null --proxy-dnssec --enable-dbus=org.free

Some logs to show dnsmasq in use:
May 17 14:23:32 ourserver dnsmasq[2336]: reading /etc/resolv.conf
May 17 14:23:32 ourserver dnsmasq[2336]: using nameserver 150.108.x.yy#53
May 17 14:23:32 ourserver dnsmasq[2336]: using nameserver 150.108.x.zz#53
May 17 14:23:32 ourserver dnsmasq[2336]: reading /etc/resolv.conf
May 17 14:23:32 ourserver dnsmasq[2336]: using nameserver 127.0.0.1#53

cat /etc/resolv.conf
# Generated by NetworkManager
search subdomain.ourdomain.edu
nameserver 127.0.0.1

dns=dnsmasq is set in the [main] section of /etc/NetworkManager/NetworkManager.conf

And some digs to show before/after:
dig www.google.co.nz

; <<>> DiG 9.10.4-P8-RedHat-9.10.4-5.P8.fc25 <<>> www.google.co.nz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50850
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;www.google.co.nz. IN A

;; ANSWER SECTION:
www.google.co.nz. 299 IN A 172.217.10.67

;; Query time: 20 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 18 10:52:59 EDT 2017
;; MSG SIZE  rcvd: 61

[root@storm audit]# dig www.google.co.nz

; <<>> DiG 9.10.4-P8-RedHat-9.10.4-5.P8.fc25 <<>> www.google.co.nz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53814
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.co.nz. IN A

;; ANSWER SECTION:
www.google.co.nz. 297 IN A 172.217.10.67

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 18 10:53:01 EDT 2017
;; MSG SIZE  rcvd: 61


host -tA 2.0.0.127.multi.uribl.com
2.0.0.127.multi.uribl.com has address 127.0.0.1

/etc/dnsmasq.conf
port=0
resolv-file=/etc/resolv.dnsmasq
strict-order
no-dhcp-interface=enp7s0f0
bind-interfaces
listen-address=127.0.0.1,150.108.xx.yy,127.0.1.1
interface=enp7s0f0
domain=ourdomain.ourschool.edu

/etc/resolv.dnsmasq
search subdomain.ourschool.edu ourschool.edu
nameserver 150.108.x.yy
nameserver 150.108.y.xx

 /etc/resolv.conf
# Generated by NetworkManager
search subdomain.ourschool.edu
nameserver 127.0.0.1

Am I missing something?
Reply | Threaded
Open this post in threaded view
|

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

Robert Kudyba

> Am 18.05.2017 um 22:30 schrieb Reindl Harald:
>> "with working dnsmasq" says all - DNSMASQ DON'T DO RECURSION - IT CAN#T
>> you are forwarding to some other nameserver and you are not the only one

But the nameserver I’m forwarding to is in our university.

> /etc/resolv.dnsmasq
> search subdomain.ourschool.edu ourschool.edu
> nameserver 150.108.x.yy
> nameserver 150.108.y.xx
>
> seriously - what do you think happens?
> you and everybody else on planet earth using 150.xx.xx.xx are coming with the same IP to the DNSBL/URIBL hosts

Isn’t the point of enabling dnsmasq to cache DNS calls? I’m just following the instructions at https://wiki.apache.org/spamassassin/CachingNameserver#Installing_dnsmasq_as_a_Caching_Nameserver which BTW has a broken link to instructions.

Reply | Threaded
Open this post in threaded view
|

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

David Jones
In reply to this post by Robert Kudyba
>From: Robert Kudyba <[hidden email]>

>host -tTXT test.uribl.com.multi.uribl.com
>test.uribl.com.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See
> http://uribl.com/refused.shtml for more information [Your DNS IP: 74.125.19.15]"

>Some logs to show dnsmasq in use:
>May 17 14:23:32 ourserver dnsmasq[2336]: reading /etc/resolv.conf
>May 17 14:23:32 ourserver dnsmasq[2336]: using nameserver 150.108.x.yy#53
>May 17 14:23:32 ourserver dnsmasq[2336]: using nameserver 150.108.x.zz#53
>May 17 14:23:32 ourserver dnsmasq[2336]: reading /etc/resolv.conf
>May 17 14:23:32 ourserver dnsmasq[2336]: using nameserver 127.0.0.1#53

You can't use dnsmasq since it only forwards to other DNS servers.  You need to
use unbound, BIND, or my favorite PowerDNS recursor so that your server does
it's own full recursive DNS lookups and doesn't rely on any other servers.  When
you rely on other DNS servers, then your DNS queries will be combined with all
of the other queries pushing you over the URIBL free usages limit.

Dave

Reply | Threaded
Open this post in threaded view
|

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

David Jones
In reply to this post by Robert Kudyba
>From: Robert Kudyba <[hidden email]>

>> Am 18.05.2017 um 22:30 schrieb Reindl Harald:
>>> "with working dnsmasq" says all - DNSMASQ DON'T DO RECURSION - IT CAN#T
>>> you are forwarding to some other nameserver and you are not the only one

>But the nameserver I’m forwarding to is in our university.

Your server needs to do it's on full recursive DNS lookups.

>> /etc/resolv.dnsmasq
>> search subdomain.ourschool.edu ourschool.edu
>> nameserver 150.108.x.yy
>> nameserver 150.108.y.xx
>>
>> seriously - what do you think happens?
>> you and everybody else on planet earth using 150.xx.xx.xx are coming with
>the same IP to the DNSBL/URIBL hosts

He's being rude but he's right.  You can't guarantee that all of the other DNS
queries being made through your university DNS servers isn't going over the
free limit on the URIBL DNS servers.

>Isn’t the point of enabling dnsmasq to cache DNS calls? I’m just following the
>instructions at  https://wiki.apache.org/spamassassin/CachingNameserver#
> Installing_dnsmasq_as_a_Caching_Nameserver which BTW has a broken
>link to instructions.

I will fix this wiki page now...

Dave

   
Reply | Threaded
Open this post in threaded view
|

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

Robert Kudyba

On May 18, 2017, at 4:41 PM, David Jones <[hidden email]> wrote:

From: Robert Kudyba <[hidden email]>

Am 18.05.2017 um 22:30 schrieb Reindl Harald:
"with working dnsmasq" says all - DNSMASQ DON'T DO RECURSION - IT CAN#T
you are forwarding to some other nameserver and you are not the only one

But the nameserver I’m forwarding to is in our university.

Your server needs to do it's on full recursive DNS lookups.

So dnsmasq is no longer an option?


/etc/resolv.dnsmasq
search subdomain.ourschool.edu ourschool.edu
nameserver 150.108.x.yy
nameserver 150.108.y.xx

seriously - what do you think happens?
you and everybody else on planet earth using 150.xx.xx.xx are coming with
the same IP to the DNSBL/URIBL hosts

He's being rude but he's right.  You can't guarantee that all of the other DNS
queries being made through your university DNS servers isn't going over the
free limit on the URIBL DNS servers.

Isn’t the point of enabling dnsmasq to cache DNS calls? I’m just following the
instructions at  https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.apache.org_spamassassin_CachingNameserver-23&d=DwIFEA&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=Xfhs5TxObQNstiygWZx6rtuJIMJ_Q65ueMPfIdG6MPw&s=YjlCBF15mxOWWMeVSUh_L9Jz1s8o454zFPqUC_5chAU&e=
Installing_dnsmasq_as_a_Caching_Nameserver which BTW has a broken
link to instructions.

I will fix this wiki page now…

I see there’s rbldnsd. On Fedora and one of our 2 servers, we run NIS & ypbind. One runs NetworkManager and the other just the network service. I guess I’m looking for the best recommendation and easy configuration without conflicts. The link to http://njabl.org/rsync.html is broken at the moment. 

Reply | Threaded
Open this post in threaded view
|

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

Robert Kudyba


On May 18, 2017 5:11 PM, "Reindl Harald" <[hidden email]> wrote:


Am 18.05.2017 um 23:05 schrieb Robert Kudyba:

On May 18, 2017, at 4:41 PM, David Jones <[hidden email] <mailto:[hidden email]>> wrote:

From: Robert Kudyba <[hidden email] <mailto:[hidden email]>>

Am 18.05.2017 um 22:30 schrieb Reindl Harald:
"with working dnsmasq" says all - DNSMASQ DON'T DO RECURSION - IT CAN#T
you are forwarding to some other nameserver and you are not the only one

But the nameserver I’m forwarding to is in our university.

Your server needs to do it's on full recursive DNS lookups.

So dnsmasq is no longer an option?

it was never - no dns software which needs another nameserver for it's job is suiteable on a inbound spamfilter

I will fix this wiki page now…

I see there’s rbldnsd. On Fedora and one of our 2 servers, we run NIS & ypbind. One runs NetworkManager and the other just the network service. I guess I’m looking for the best recommendation and easy configuration without conflicts. The link to https://urldefense.proofpoint.com/v2/url?u=http-3A__njabl.org_rsync.html&d=DwID-g&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=_GpsD3DHYXO7rQ_TtNdtAq_0iO39u8QBVn0morPE0hs&s=-BaByTtCkQ37-fWpZVVp9ZMa7nLIUpa8OWscKkMi3T8&e=  is broken at the moment

rbldnsd is a completly different thing and supposed to host your *own* dnsbl zones

what you you need is a *basic* namesever just donig recursion and tell your mailserver just use it

* get rid of other crap
* dnf install unbound
* systemctl enable unbound
* systemctl start unound
* just use your unbound on 127.0.0.1

It looks like I'll have to 
  • Add the following line into /etc/NetworkManager/NetworkManager.conf
dns=unbound
or ask the idiot maintaining "I'm forwarding to is in our university" why he is forwarding queries outside your university to google instead doing recursion

Probably because the university uses gmail. Our department does not. 

Reply | Threaded
Open this post in threaded view
|

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

John Hardin
In reply to this post by Robert Kudyba
On Thu, 18 May 2017, Robert Kudyba wrote:

>
>> Am 18.05.2017 um 22:30 schrieb Reindl Harald:
>>> "with working dnsmasq" says all - DNSMASQ DON'T DO RECURSION - IT CAN#T
>>> you are forwarding to some other nameserver and you are not the only one
>
> But the nameserver I’m forwarding to is in our university.
>
>> /etc/resolv.dnsmasq
>> search subdomain.ourschool.edu ourschool.edu
>> nameserver 150.108.x.yy
>> nameserver 150.108.y.xx
>>
>> seriously - what do you think happens?
>> you and everybody else on planet earth using 150.xx.xx.xx are coming with the same IP to the DNSBL/URIBL hosts
>
> Isn’t the point of enabling dnsmasq to cache DNS calls? I’m just
> following the instructions at
> https://wiki.apache.org/spamassassin/CachingNameserver#Installing_dnsmasq_as_a_Caching_Nameserver 
> which BTW has a broken link to instructions.
I think this part of the wiki page may not be stressed stongly enough:



Non-forwarding

If you have a large ISP or are using large public DNS provider(s) it is
recommended you not forward mail-related DNS traffic through their DNS
servers (though non-mail DNS traffic from your site shouldn't have
problems.) With bind, this means not having any "forwarders" listed. Or,
at a minimum, you could create exemptions by defining empty forwarders for
DNSBL zones, like this:

/* Disable forwarding for DNSBL queries */
zone "multi.uribl.com" { type forward; forward first; forwarders {}; };
zone "dnsbl.sorbs.net" { type forward; forward first; forwarders {}; };
zone "combined.njabl.org" { type forward; forward first; forwarders {}; };
zone "activationcode.r.mail-abuse.com" { type forward; forward first; forwarders {}; };
zone "nonconfirm.mail-abuse.com" { type forward; forward first; forwarders {}; };
zone "iadb.isipp.com" { type forward; forward first; forwarders {}; };
zone "bl.spamcop.net" { type forward; forward first; forwarders {}; };
zone "fulldom.rfc-ignorant.org" { type forward; forward first; forwarders {}; };
zone "list.dnswl.org" { type forward; forward first; forwarders {}; };
zone "blackholes.mail-abuse.org" { type forward; forward first; forwarders {}; };
zone "bl.score.senderscore.com" { type forward; forward first; forwarders {}; };
zone "zen.spamhaus.org" { type forward; forward first; forwarders {}; };


--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   If you are "fighting for social justice," then you are defining
   yourself as someone who considers regular old everyday
   *equal* justice to be something you don't want.       -- GOF at TSM
-----------------------------------------------------------------------
  49 days since the first commercial re-flight of an orbital booster (SpaceX)
Reply | Threaded
Open this post in threaded view
|

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

David Jones
>From: John Hardin <[hidden email]>

>I think this part of the wiki page may not be stressed stongly enough:

>Non-forwarding

>If you have a large ISP or are using large public DNS provider(s) it is
>recommended you not forward mail-related DNS traffic through their DNS
>servers (though non-mail DNS traffic from your site shouldn't have
>problems.) With bind, this means not having any "forwarders" listed. Or,
>at a minimum, you could create exemptions by defining empty forwarders for
>DNSBL zones, like this:

https://wiki.apache.org/spamassassin/CachingNameserver

I just simplified that page quite a bit.  It needs a little more work on it but it
should be pretty clear now to not use a forwarding DNS server locally and do
not point the server to another DNS server in /etc/resolv.conf.

Dave
Reply | Threaded
Open this post in threaded view
|

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

Bill Cole
In reply to this post by Robert Kudyba
On 18 May 2017, at 17:05, Robert Kudyba wrote:

>> On May 18, 2017, at 4:41 PM, David Jones <[hidden email]> wrote:
>>
>>> From: Robert Kudyba <[hidden email]>
>>
>>>> Am 18.05.2017 um 22:30 schrieb Reindl Harald:
>>>>> "with working dnsmasq" says all - DNSMASQ DON'T DO RECURSION - IT
>>>>> CAN#T
>>>>> you are forwarding to some other nameserver and you are not the
>>>>> only one
>>
>>> But the nameserver I’m forwarding to is in our university.
>>
>> Your server needs to do it's on full recursive DNS lookups.
>
> So dnsmasq is no longer an option?

It never was a reasonable option for anything more than a toy mail
server on a network with real recursers that aren't shared by mail
servers doing significant volume.

If you want a mail server to perform decently while using all the modern
tools for fraud & spam detection (DNSBLs, SPF, DKIM, DMARC, DANE,
requiring FCrDNS with a non-generic name, etc.) you need a fully
recursive (never-forwarding) DNS resolver with a sizable cache on the
same machine or at worst the same physical LAN. A substantial fraction
of the time it takes to accept or reject a piece of mail is spent
waiting for DNS replies, especially if you are relying on a cache that
in on the other side of a router.

>>>> /etc/resolv.dnsmasq
>>>> search subdomain.ourschool.edu ourschool.edu
>>>> nameserver 150.108.x.yy
>>>> nameserver 150.108.y.xx

Tangent: You do know that your email address a complete Received trail
is in your mail, right? Not much point in obfuscation...

>>> Isn’t the point of enabling dnsmasq to cache DNS calls? I’m just
>>> following the
>>> instructions at  
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.apache.org_spamassassin_CachingNameserver-23&d=DwIFEA&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=Xfhs5TxObQNstiygWZx6rtuJIMJ_Q65ueMPfIdG6MPw&s=YjlCBF15mxOWWMeVSUh_L9Jz1s8o454zFPqUC_5chAU&e=
>>> Installing_dnsmasq_as_a_Caching_Nameserver which BTW has a broken
>>> link to instructions.

Evidence that the wiki does not see a lot of maintenance. There's a LOT
of staleness there.


> I see there’s rbldnsd.

ONLY if you have a way to get full copies of the zones you want, because
rbldnsd is ONLY authoritative. It is useful if you're paying for a
subscription to a DNSBL provider like Spamhaus, but it's NOT a
general-purpose resolver.

> On Fedora and one of our 2 servers, we run NIS & ypbind. One runs
> NetworkManager and the other just the network service. I guess I’m
> looking for the best recommendation and easy configuration without
> conflicts.

IMHO NetworkMangler doesn't belong on ANY server, but that's a rant for
elsewhere...

Unbound is by far my favorite for pure simple caching fully-recursive
resolvers. I use BIND as well, but only where I need complex rigs that I
have not yet tried to implement with Unbound.

> The link to http://njabl.org/rsync.html <http://njabl.org/rsync.html>
> is broken at the moment.

It shall remain so until such time as it is removed, as NJABL is long
dead.
Reply | Threaded
Open this post in threaded view
|

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

Martin Gregorie-2
In reply to this post by David Jones
On Thu, 2017-05-18 at 21:46 +0000, David Jones wrote:

> > From: John Hardin <[hidden email]>
> > I think this part of the wiki page may not be stressed stongly
> > enough:
> > Non-forwarding
> > If you have a large ISP or are using large public DNS provider(s)
> > it is 
> > recommended you not forward mail-related DNS traffic through their
> > DNS 
> > servers (though non-mail DNS traffic from your site shouldn't have 
> > problems.) With bind, this means not having any "forwarders"
> > listed. Or, 
> > at a minimum, you could create exemptions by defining empty
> > forwarders for 
> > DNSBL zones, like this:
>
> https://wiki.apache.org/spamassassin/CachingNameserver
>
> I just simplified that page quite a bit.  It needs a little more work
> on it but it
> should be pretty clear now to not use a forwarding DNS server locally
> and do
> not point the server to another DNS server in /etc/resolv.conf.
>
Minor correction: The Bind for RedHat section of the page needs changes
to bring it into like with the unbound instructions.

For Fedora you'd use: 

dnf install bind
systemctl enable bind
systemctl start bind

Can't comment about RHEL/CentOS


Martin

Reply | Threaded
Open this post in threaded view
|

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

Rob McEwen
In reply to this post by David Jones
On 5/18/2017 5:46 PM, David Jones wrote:
> it should be pretty clear now to not use a forwarding DNS server locally and
> do not point the server to another DNS server in /etc/resolv.conf.

Thanks David!

Some may be interested to know at least 15% of my entire labor
"overhead" for running invaluement - involves playing "whack a mole" (so
to speak) with both testers and existing subscribers - whose DNS
settings CONSTANTLY revert back to sending direct queries to invaluement
via Google and/or OpenDNS - which are then blocked - even as the
instructions were extremely clear about how/why not to do it that way.

In many cases, they explain to me that their settings got
auto-overwritten by their hoster - who just HAD to switch their
resolv.conf file back to 8.8.8.8

In some rare worst case scenarios - I have to "fire the customer", due
to many repeated incidents where the labor involved in constantly
babysitting their settings - was no longer worth their subscription payment.

And unfortunately there is just basically a very sizable portion of IT
professionals in the entire world... probably hundreds of thousands of
IT people - who have been convinced that pointing all DNS to 8.8.8.8 is
standard operating procedure that they think is always the best way.

For me, it feels like annoying busy work. Imagine that for at least one
hour out of your day - you have to stop what you're doing and dig a hole
in your back yard - and then fill it back in.

So I'm grateful every time I see thread like this that pushes back
against that, and encourages others to run industry standard
non-forwarding caching DNS servers.

THANKS!

--
Rob McEwen
http://www.invaluement.com


Reply | Threaded
Open this post in threaded view
|

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

Matus UHLAR - fantomas
In reply to this post by John Hardin
On 18.05.17 17:05, Robert Kudyba wrote:
> The link to http://njabl.org/rsync.html is broken at the moment.

njabl.org is dead four (4) years

On 18.05.17 14:39, John Hardin wrote:
>I think this part of the wiki page may not be stressed stongly enough:
[...]
>/* Disable forwarding for DNSBL queries */
[...]
>zone "combined.njabl.org" { type forward; forward first; forwarders {}; };

see above

>zone "fulldom.rfc-ignorant.org" { type forward; forward first; forwarders {}; };

rfc-ignorant.org is dead for years.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
Reply | Threaded
Open this post in threaded view
|

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

David Jones
From: Matus UHLAR - fantomas <[hidden email]>
   
>On 18.05.17 17:05, Robert Kudyba wrote:
>> The link to http://njabl.org/rsync.html is broken at the moment.

>njabl.org is dead four (4) years

>On 18.05.17 14:39, John Hardin wrote:
>>I think this part of the wiki page may not be stressed stongly enough:
>[...]
>>/* Disable forwarding for DNSBL queries */
>[...]
>>zone "combined.njabl.org" { type forward; forward first; forwarders {}; };

>see above

>>zone "fulldom.rfc-ignorant.org" { type forward; forward first; forwarders {}; };

>rfc-ignorant.org is dead for years.

Wiki page updated and simplified.  

https://wiki.apache.org/spamassassin/CachingNameserver
Reply | Threaded
Open this post in threaded view
|

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

Robert Kudyba
For Fedora, since NetworkMangler (as many are fond to call it) is enabled by default it might be worthwhile to mention this comment at, but note that /etc/resolv.conf will be managed by dnssec-trigger daemon: https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver#How_to_get_Unbound_and_dnssec-trigger_running
"If you use NetworkManager, configure it to use unbound. Add the following line into /etc/NetworkManager/NetworkManager.conf
dns=unbound"

Reply | Threaded
Open this post in threaded view
|

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

John Hardin
In reply to this post by Rob McEwen
On Thu, 18 May 2017, Rob McEwen wrote:

> In many cases, they explain to me that their settings got auto-overwritten by
> their hoster - who just HAD to switch their resolv.conf file back to 8.8.8.8

cron. job.

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   News flash: Lowest Common Denominator down 50 points
-----------------------------------------------------------------------
  50 days since the first commercial re-flight of an orbital booster (SpaceX)
Reply | Threaded
Open this post in threaded view
|

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

David B Funk
On Fri, 19 May 2017, John Hardin wrote:

> On Thu, 18 May 2017, Rob McEwen wrote:
>
>> In many cases, they explain to me that their settings got auto-overwritten
>> by their hoster - who just HAD to switch their resolv.conf file back to
>> 8.8.8.8
>
> cron. job.

Wouldn't the SA config parameter "dns_server" over-ride what's in the
resolv.conf, or doesn't that work for RBL queries?

EG, set:
   dns_server 127.0.0.1

in your local.cf file and don't worry about what's in the resolv.conf


--
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Reply | Threaded
Open this post in threaded view
|

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

David Jones
In reply to this post by Robert Kudyba
>From: Robert Kudyba <[hidden email]>

>> Wiki page updated and simplified.

>> https://wiki.apache.org/spamassassin/CachingNameserver 

>For Fedora, since NetworkMangler (as many are fond to call it) is enabled
>by default it might be worthwhile to mention this comment at, but note that
>/etc/resolv.conf will be managed by dnssec-trigger daemon:
>https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver
>#How_to_get_Unbound_and_dnssec-trigger_running

>"If you use NetworkManager, configure it to use unbound. Add the
>following line into /etc/NetworkManager/NetworkManager.conf
>dns=unbound"

The wiki says to search for details in other online articles like that link.
I would prefer not to try to keep up with every little detail like this on
this wiki page since it seems to only get updated every 3 years.  In fact,
I was already thinking about removing any detail and just mention the
DNS servers so there are no details to become invalid in a year or two
like the reference to njabl.org.

Would it be beneficial to add a local.cf config option to allow SA to
specify a different DNS server rather than what the OS is using in
/etc/resolv.conf?

Dave
     
Reply | Threaded
Open this post in threaded view
|

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

Kris Deugau
David Jones wrote:
> Would it be beneficial to add a local.cf config option to allow SA to
> specify a different DNS server rather than what the OS is using in
> /etc/resolv.conf?

IIRC it does, and a quick scan of the Mail::SpamAssassin::Conf man page
turned up:

        dns_server ip-addr-port  (default: entries provided by Net::DNS)
            Specifies an IP address of a DNS server, and optionally its
            port number.  The dns_server directive may be specified
            multiple times, each entry adding to a list of available
            resolving name servers. The ip-addr-port argument can either
            be an IPv4 or IPv6 address, optionally enclosed in brackets,
            and optionally followed by a colon and a port number. In
            absence of a port number a standard port number 53 is
            assumed. When an IPv6 address is specified along with a port
            number, the address must be enclosed in brackets to avoid
            parsing ambiguity regarding a colon separator. A scoped
            link-local IP address is allowed (assuming underlying
            modules allow it).

            Examples :
             dns_server 127.0.0.1
             dns_server 127.0.0.1:53
             dns_server [127.0.0.1]:53
             dns_server [::1]:53
             dns_server fe80::1%lo0
             dns_server [fe80::1%lo0]:53

            In absence of dns_server directives, the list of name
            servers is provided by Net::DNS module, which typically
            obtains the list from /etc/resolv.conf, but this may be
            platform dependent. Please consult the Net::DNS::Resolver
            documentation for details.

-kgd
Reply | Threaded
Open this post in threaded view
|

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

David Jones
In reply to this post by David Jones
>Would it be beneficial to add a local.cf config option to allow SA to
>specify a different DNS server rather than what the OS is using in
>/etc/resolv.conf?

Nevermind.  David Funk just posted about "dns_server" that I wasn't
able to find earlier.  Seems like setting that would be the best option
for those where the /etc/resolv.conf is being managed.

I will update the wiki page with this config option.

Dave
         
Reply | Threaded
Open this post in threaded view
|

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

Kevin A. McGrail-2
In reply to this post by David Jones
On 5/19/2017 1:59 PM, David Jones wrote:
> Would it be beneficial to add a local.cf config option to allow SA to
> specify a different DNS server rather than what the OS is using in
> /etc/resolv.conf?

I believe there is also an idea in bugzilla to specify this on a per RBL
basis.  I can't find it but I know his issue crops up from time to time.

Regards,
KAM