[Rspamd-Users] Newbie: What does this log message mean?

Gerben Wierda gerben.wierda at rna.nl
Mon Dec 23 12:53:02 UTC 2019 

On 5 Nov 2019, at 12:01, Reio Remma via Users <users at lists.rspamd.com> wrote:
> 
> On 05/11/2019 12:53, Gerben Wierda wrote:
>> I am new to rspamd. I was busy installing rspamd on a machine where I have unbound set up. In the rspamd log I noticed:
>> 
>> 2019-11-03 16:14:28 #63290(controller) <3nxzfe>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com (127.0.0.1 returned), possibly due to high volume
>> 2019-11-03 16:17:29 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org while 'no records with this name' was expected when querying for '1.0.0.127.dwl.dnswl.org'(likely DNS spoofing or BL internal issues)
>> 2019-11-03 16:20:00 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com, next check at Sun, 03 Nov 2019 15:25:00 GMT
>> 2019-11-03 16:26:25 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com, next check at Sun, 03 Nov 2019 15:31:25 GMT
>> 2019-11-03 16:27:31 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org while 'no records with this name' was expected when querying for '1.0.0.127.dwl.dnswl.org'(likely DNS spoofing or BL internal issues)
>> 2019-11-03 16:29:50 #63290(controller) <3nxzfe>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com (127.0.0.1 returned), possibly due to high volume
>> 2019-11-03 16:31:27 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com, next check at Sun, 03 Nov 2019 15:36:27 GMT
>> 2019-11-03 16:37:14 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_propagate_success: restoring dwl.dnswl.org after 2619.0 seconds of downtime, total downtime: 2619.0
>> 
>> So, some config problem with rspamd, apparently. But what really caught my eye was
>> 
>> when querying for '1.0.0.127.dwl.dnswl.org'(likely DNS spoofing or BL internal issues)
>> 
>> But these domains are not resolvable:
>> 
>> albus:~ sysbh$ nslookup multi.uribl.com
>> Server:		192.168.2.66
>> Address:	192.168.2.66#53
>> 
>> Non-authoritative answer:
>> *** Can't find multi.uribl.com: No answer
>> 
>> albus:~ sysbh$ nslookup dwl.dnswl.org
>> Server:		192.168.2.66
>> Address:	192.168.2.66#53
>> 
>> Non-authoritative answer:
>> *** Can't find dwl.dnswl.org: No answer
>> 
>> So, why is rspamd reporting this? What does it mean?
> 
> If you have Unbound set up on the same machine, add this:
> 
> # local.d/options.inc
> dns {
>   nameserver = ["127.0.0.1"];
> }
> 
> Good luck,
> Reio

Before I do something like this, I’d like to understand why this should help. As /etc/resolv.conf contains entries that let rspamd end up with the same unbound or another good DNS

search rna.nl
nameserver 192.168.2.66
nameserver 192.168.2.67
nameserver 8.8.8.8

Gerben

More information about the Users mailing list