[Rspamd-Users] Local DNS requirements for rspamd? Was: Newbie: What does this log message mean?

Gerben Wierda gerben.wierda at rna.nl
Sat Dec 28 17:13:21 UTC 2019 

> On 24 Dec 2019, at 11:01, Reio Remma via Users <users at lists.rspamd.com> wrote:
> 
> On 23.12.2019 14:53, Gerben Wierda wrote:
>> On 5 Nov 2019, at 12:01, Reio Remma via Users <users at lists.rspamd.com <mailto:users at lists.rspamd.com>> wrote:
>>> 
>>> On 05/11/2019 12:53, Gerben Wierda wrote:
>>>> I am new to rspamd. I was busy installing rspamd on a machine where I have unbound set up. In the rspamd log I noticed:
>>>> 
>>>> 2019-11-03 16:14:28 #63290(controller) <3nxzfe>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com <http://multi.uribl.com> (127.0.0.1 returned), possibly due to high volume
>>>> 2019-11-03 16:17:29 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org <http://dwl.dnswl.org> while 'no records with this name' was expected when querying for '1.0.0.127.dwl.dnswl.org <http://dwl.dnswl.org>'(likely DNS spoofing or BL internal issues)
>>>> 2019-11-03 16:20:00 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com <http://www.openphish.com>, next check at Sun, 03 Nov 2019 15:25:00 GMT
>>>> 2019-11-03 16:26:25 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com <http://www.openphish.com>, next check at Sun, 03 Nov 2019 15:31:25 GMT
>>>> 2019-11-03 16:27:31 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org <http://dwl.dnswl.org> while 'no records with this name' was expected when querying for '1.0.0.127.dwl.dnswl.org <http://dwl.dnswl.org>'(likely DNS spoofing or BL internal issues)
>>>> 2019-11-03 16:29:50 #63290(controller) <3nxzfe>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com <http://multi.uribl.com> (127.0.0.1 returned), possibly due to high volume
>>>> 2019-11-03 16:31:27 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com <http://www.openphish.com>, next check at Sun, 03 Nov 2019 15:36:27 GMT
>>>> 2019-11-03 16:37:14 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_propagate_success: restoring dwl.dnswl.org <http://dwl.dnswl.org> after 2619.0 seconds of downtime, total downtime: 2619.0
>>>> 
>>>> So, some config problem with rspamd, apparently. But what really caught my eye was
>>>> 
>>>> when querying for '1.0.0.127.dwl.dnswl.org <http://dwl.dnswl.org>'(likely DNS spoofing or BL internal issues)
>>>> 
>>>> But these domains are not resolvable:
>>>> 
>>>> albus:~ sysbh$ nslookup multi.uribl.com <http://multi.uribl.com>
>>>> Server:192.168.2.66
>>>> Address:192.168.2.66#53
>>>> 
>>>> Non-authoritative answer:
>>>> *** Can't find multi.uribl.com <http://multi.uribl.com>: No answer
>>>> 
>>>> albus:~ sysbh$ nslookup dwl.dnswl.org <http://dwl.dnswl.org>
>>>> Server:192.168.2.66
>>>> Address:192.168.2.66#53
>>>> 
>>>> Non-authoritative answer:
>>>> *** Can't find dwl.dnswl.org <http://dwl.dnswl.org>: No answer
>>>> 
>>>> So, why is rspamd reporting this? What does it mean?
>>> 
>>> If you have Unbound set up on the same machine, add this:
>>> 
>>> # local.d/options.inc
>>> dns {
>>>   nameserver = ["127.0.0.1"];
>>> }
>>> 
>>> Good luck,
>>> Reio
>> 
>> Before I do something like this, I’d like to understand why this should help. As /etc/resolv.conf contains entries that let rspamd end up with the same unbound or another good DNS
>> 
>> search rna.nl <http://rna.nl>
>> nameserver 192.168.2.66
>> nameserver 192.168.2.67
>> nameserver 8.8.8.8
> 
> You started with: " I was busy installing rspamd on a machine where I have unbound set up."
> 
> Assuming you have unbound set up locally, you need to let Rspamd know about it by setting the local nameserver in options.inc.

This doesn’t fix my issue, I think I do not fully understand what is going on. Just that rspamd really needs some specifics in termns of DNS and I’m apparently not providing that.

So with this

dns {
    nameserver = "127.0.0.1";
}

in local.d/options.inc, I get on reload:

2019-12-28 17:47:20 #16267(controller) <gp88ff>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com (127.0.0.1 returned), possibly due to high volume
2019-12-28 17:47:20 #16267(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org while 'no records with this name' was expected when querying for 'TTE6_6BJCREYADp1do_TGob69-N7R.dwl.dnswl.org'(likely DNS spoofing or BL internal issues)

My unbound config says:
forward-zone: 
        name: "."
        # Quad9 phising/malware site blocking DNS 9.9.9.9
        forward-addr: 9.9.9.9
        # Quad9 2nd DNS
        forward-addr: 149.112.112.112
        # Fallback if Quad9 is out: Google:
        # forward-addr: 8.8.4.4

There is something in my DNS setup that rspamd doesn’t like, but what is it? The forwarding to public DNS in general?

Thanks,

Gerben Wierda
Chess and the Art of Enterprise Architecture <http://enterprisechess.com/>
Mastering ArchiMate <http://masteringarchimate.com/>
Architecture for Real Enterprises <https://www.infoworld.com/blog/architecture-for-real-enterprises/> at InfoWorld
On Slippery Ice <https://eapj.org/on-slippery-ice/> at EAPJ

More information about the Users mailing list