[Rspamd-Users] Local DNS requirements for rspamd? Was: Newbie: What does this log message mean?

Hans van Eijsden Photography info at hansvaneijsden.nl
Sat Dec 28 18:11:16 UTC 2019 

Hi Gerben,

Yes, the forwarding to public DNS in general.
Just let unbound query the root DNS servers, like it does as default. Eventually you can set up unbound on a different port (I use port 5353) and point rspamd to that port.

My unbound config:

=======

# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"
port: 5353
prefetch: yes
num-threads: 4
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
rrset-cache-size: 256m
msg-cache-size: 128m
so-rcvbuf: 1m
so-reuseport: yes
statistics-interval: 0
statistics-cumulative: no
extended-statistics: yes
#forward-zone:
#    name: "."
#    forward-addr: 1.1.1.1
#    forward-addr: 1.0.0.1
python:
remote-control:
    control-enable: yes
server: 
    qname-minimisation: yes
    auto-trust-anchor-file: "/var/lib/unbound/root.key"

=======

So, no forward zone specified. 


Best regards / Met vriendelijke groet,

 <https://www.hansvaneijsden.com/>
Hans van Eijsden / Pro Photographer & Retoucher

Hans van Eijsden Photography 
Staatssecretarislaan 232 
8015 DB Zwolle, The Netherlands 
+31 (0)38 23 00 648 

KvK-nr.: 62551396 
Btw-nr.: NL 1820 26 164 B01 
IBAN: NL20 SNSB 0908 9490 65 
www.hansvaneijsden.com <https://www.hansvaneijsden.com/>
  <https://twitter.com/hansvaneijsden>   <https://www.facebook.com/hansvaneijsdenphotography/>   <https://plus.google.com/+HansvanEijsdenNL>   <http://www.linkedin.com/in/hansvaneijsden>   <http://instagram.com/hansvaneijsden>   <skype:hansheino?call>   <https://www.youtube.com/user/hansvaneijsden>   <https://www.flickr.com/hansvaneijsden/>   <https://500px.com/hansvaneijsden>   <https://pinterest.com/hansvaneijsden/>
Sent from my iPhone


> Op 28 dec. 2019, om 18:13 heeft Gerben Wierda <gerben.wierda at rna.nl> het volgende geschreven:
> 
>> On 24 Dec 2019, at 11:01, Reio Remma via Users <users at lists.rspamd.com> wrote:
>> 
>> On 23.12.2019 14:53, Gerben Wierda wrote:
>>> On 5 Nov 2019, at 12:01, Reio Remma via Users <users at lists.rspamd.com <mailto:users at lists.rspamd.com>> wrote:
>>>> 
>>>> On 05/11/2019 12:53, Gerben Wierda wrote:
>>>>> I am new to rspamd. I was busy installing rspamd on a machine where I have unbound set up. In the rspamd log I noticed:
>>>>> 
>>>>> 2019-11-03 16:14:28 #63290(controller) <3nxzfe>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com <http://multi.uribl.com> (127.0.0.1 returned), possibly due to high volume
>>>>> 2019-11-03 16:17:29 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org <http://dwl.dnswl.org> while 'no records with this name' was expected when querying for '1.0.0.127.dwl.dnswl.org <http://dwl.dnswl.org>'(likely DNS spoofing or BL internal issues)
>>>>> 2019-11-03 16:20:00 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com <http://www.openphish.com>, next check at Sun, 03 Nov 2019 15:25:00 GMT
>>>>> 2019-11-03 16:26:25 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com <http://www.openphish.com>, next check at Sun, 03 Nov 2019 15:31:25 GMT
>>>>> 2019-11-03 16:27:31 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org <http://dwl.dnswl.org> while 'no records with this name' was expected when querying for '1.0.0.127.dwl.dnswl.org <http://dwl.dnswl.org>'(likely DNS spoofing or BL internal issues)
>>>>> 2019-11-03 16:29:50 #63290(controller) <3nxzfe>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com <http://multi.uribl.com> (127.0.0.1 returned), possibly due to high volume
>>>>> 2019-11-03 16:31:27 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com <http://www.openphish.com>, next check at Sun, 03 Nov 2019 15:36:27 GMT
>>>>> 2019-11-03 16:37:14 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_propagate_success: restoring dwl.dnswl.org <http://dwl.dnswl.org> after 2619.0 seconds of downtime, total downtime: 2619.0
>>>>> 
>>>>> So, some config problem with rspamd, apparently. But what really caught my eye was
>>>>> 
>>>>> when querying for '1.0.0.127.dwl.dnswl.org <http://dwl.dnswl.org>'(likely DNS spoofing or BL internal issues)
>>>>> 
>>>>> But these domains are not resolvable:
>>>>> 
>>>>> albus:~ sysbh$ nslookup multi.uribl.com <http://multi.uribl.com>
>>>>> Server:192.168.2.66
>>>>> Address:192.168.2.66#53
>>>>> 
>>>>> Non-authoritative answer:
>>>>> *** Can't find multi.uribl.com <http://multi.uribl.com>: No answer
>>>>> 
>>>>> albus:~ sysbh$ nslookup dwl.dnswl.org <http://dwl.dnswl.org>
>>>>> Server:192.168.2.66
>>>>> Address:192.168.2.66#53
>>>>> 
>>>>> Non-authoritative answer:
>>>>> *** Can't find dwl.dnswl.org <http://dwl.dnswl.org>: No answer
>>>>> 
>>>>> So, why is rspamd reporting this? What does it mean?
>>>> 
>>>> If you have Unbound set up on the same machine, add this:
>>>> 
>>>> # local.d/options.inc
>>>> dns {
>>>>  nameserver = ["127.0.0.1"];
>>>> }
>>>> 
>>>> Good luck,
>>>> Reio
>>> 
>>> Before I do something like this, I’d like to understand why this should help. As /etc/resolv.conf contains entries that let rspamd end up with the same unbound or another good DNS
>>> 
>>> search rna.nl <http://rna.nl>
>>> nameserver 192.168.2.66
>>> nameserver 192.168.2.67
>>> nameserver 8.8.8.8
>> 
>> You started with: " I was busy installing rspamd on a machine where I have unbound set up."
>> 
>> Assuming you have unbound set up locally, you need to let Rspamd know about it by setting the local nameserver in options.inc.
> 
> This doesn’t fix my issue, I think I do not fully understand what is going on. Just that rspamd really needs some specifics in termns of DNS and I’m apparently not providing that.
> 
> So with this
> 
> dns {
>    nameserver = "127.0.0.1";
> }
> 
> in local.d/options.inc, I get on reload:
> 
> 2019-12-28 17:47:20 #16267(controller) <gp88ff>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com (127.0.0.1 returned), possibly due to high volume
> 2019-12-28 17:47:20 #16267(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org while 'no records with this name' was expected when querying for 'TTE6_6BJCREYADp1do_TGob69-N7R.dwl.dnswl.org'(likely DNS spoofing or BL internal issues)
> 
> My unbound config says:
> forward-zone: 
>        name: "."
>        # Quad9 phising/malware site blocking DNS 9.9.9.9
>        forward-addr: 9.9.9.9
>        # Quad9 2nd DNS
>        forward-addr: 149.112.112.112
>        # Fallback if Quad9 is out: Google:
>        # forward-addr: 8.8.4.4
> 
> There is something in my DNS setup that rspamd doesn’t like, but what is it? The forwarding to public DNS in general?
> 
> Thanks,
> 
> Gerben Wierda
> Chess and the Art of Enterprise Architecture <http://enterprisechess.com/>
> Mastering ArchiMate <http://masteringarchimate.com/>
> Architecture for Real Enterprises <https://www.infoworld.com/blog/architecture-for-real-enterprises/> at InfoWorld
> On Slippery Ice <https://eapj.org/on-slippery-ice/> at EAPJ
> 
> -- 
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users

More information about the Users mailing list