[Rspamd-Users] Local DNS requirements for rspamd? Was: Newbie: What does this log message mean?

Sat Dec 28 21:33:53 UTC 2019

Thank you.

I’ve put a second unbound in on port 5353 which doesn’t use forwarders and the error messages have gone.

Gerben Wierda
Chess and the Art of Enterprise Architecture <http://enterprisechess.com/>
Mastering ArchiMate <http://masteringarchimate.com/>
Architecture for Real Enterprises <https://www.infoworld.com/blog/architecture-for-real-enterprises/> at InfoWorld
On Slippery Ice <https://eapj.org/on-slippery-ice/> at EAPJ

> On 28 Dec 2019, at 19:11, Hans van Eijsden Photography via Users <users at lists.rspamd.com> wrote:
> 
> Hi Gerben,
> 
> Yes, the forwarding to public DNS in general.
> Just let unbound query the root DNS servers, like it does as default. Eventually you can set up unbound on a different port (I use port 5353) and point rspamd to that port.
> 
> My unbound config:
> 
> =======
> 
> # Unbound configuration file for Debian.
> #
> # See the unbound.conf(5) man page.
> #
> # See /usr/share/doc/unbound/examples/unbound.conf for a commented
> # reference config file.
> #
> # The following line includes additional configuration files from the
> # /etc/unbound/unbound.conf.d directory.
> include: "/etc/unbound/unbound.conf.d/*.conf"
> port: 5353
> prefetch: yes
> num-threads: 4
> msg-cache-slabs: 8
> rrset-cache-slabs: 8
> infra-cache-slabs: 8
> key-cache-slabs: 8
> rrset-cache-size: 256m
> msg-cache-size: 128m
> so-rcvbuf: 1m
> so-reuseport: yes
> statistics-interval: 0
> statistics-cumulative: no
> extended-statistics: yes
> #forward-zone:
> #    name: "."
> #    forward-addr: 1.1.1.1
> #    forward-addr: 1.0.0.1
> python:
> remote-control:
>    control-enable: yes
> server: 
>    qname-minimisation: yes
>    auto-trust-anchor-file: "/var/lib/unbound/root.key"
> 
> =======
> 
> So, no forward zone specified. 
> 
> 
> Best regards / Met vriendelijke groet,
> 
> <https://www.hansvaneijsden.com/>
> Hans van Eijsden / Pro Photographer & Retoucher
> 
> Hans van Eijsden Photography 
> Staatssecretarislaan 232 
> 8015 DB Zwolle, The Netherlands 
> +31 (0)38 23 00 648 
> 
> KvK-nr.: 62551396 
> Btw-nr.: NL 1820 26 164 B01 
> IBAN: NL20 SNSB 0908 9490 65 
> www.hansvaneijsden.com <https://www.hansvaneijsden.com/>
>   <https://twitter.com/hansvaneijsden>   <https://www.facebook.com/hansvaneijsdenphotography/>   <https://plus.google.com/+HansvanEijsdenNL>   <http://www.linkedin.com/in/hansvaneijsden>   <http://instagram.com/hansvaneijsden>   <skype:hansheino?call>   <https://www.youtube.com/user/hansvaneijsden>   <https://www.flickr.com/hansvaneijsden/>   <https://500px.com/hansvaneijsden>   <https://pinterest.com/hansvaneijsden/>
> Sent from my iPhone
> 
> 
>> Op 28 dec. 2019, om 18:13 heeft Gerben Wierda <gerben.wierda at rna.nl> het volgende geschreven:
>> 
>>> On 24 Dec 2019, at 11:01, Reio Remma via Users <users at lists.rspamd.com> wrote:
>>> 
>>> On 23.12.2019 14:53, Gerben Wierda wrote:
>>>> On 5 Nov 2019, at 12:01, Reio Remma via Users <users at lists.rspamd.com <mailto:users at lists.rspamd.com>> wrote:
>>>>> 
>>>>> On 05/11/2019 12:53, Gerben Wierda wrote:
>>>>>> I am new to rspamd. I was busy installing rspamd on a machine where I have unbound set up. In the rspamd log I noticed:
>>>>>> 
>>>>>> 2019-11-03 16:14:28 #63290(controller) <3nxzfe>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com <http://multi.uribl.com> (127.0.0.1 returned), possibly due to high volume
>>>>>> 2019-11-03 16:17:29 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org <http://dwl.dnswl.org> while 'no records with this name' was expected when querying for '1.0.0.127.dwl.dnswl.org <http://dwl.dnswl.org>'(likely DNS spoofing or BL internal issues)
>>>>>> 2019-11-03 16:20:00 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com <http://www.openphish.com>, next check at Sun, 03 Nov 2019 15:25:00 GMT
>>>>>> 2019-11-03 16:26:25 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com <http://www.openphish.com>, next check at Sun, 03 Nov 2019 15:31:25 GMT
>>>>>> 2019-11-03 16:27:31 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org <http://dwl.dnswl.org> while 'no records with this name' was expected when querying for '1.0.0.127.dwl.dnswl.org <http://dwl.dnswl.org>'(likely DNS spoofing or BL internal issues)
>>>>>> 2019-11-03 16:29:50 #63290(controller) <3nxzfe>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com <http://multi.uribl.com> (127.0.0.1 returned), possibly due to high volume
>>>>>> 2019-11-03 16:31:27 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com <http://www.openphish.com>, next check at Sun, 03 Nov 2019 15:36:27 GMT
>>>>>> 2019-11-03 16:37:14 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_propagate_success: restoring dwl.dnswl.org <http://dwl.dnswl.org> after 2619.0 seconds of downtime, total downtime: 2619.0
>>>>>> 
>>>>>> So, some config problem with rspamd, apparently. But what really caught my eye was
>>>>>> 
>>>>>> when querying for '1.0.0.127.dwl.dnswl.org <http://dwl.dnswl.org>'(likely DNS spoofing or BL internal issues)
>>>>>> 
>>>>>> But these domains are not resolvable:
>>>>>> 
>>>>>> albus:~ sysbh$ nslookup multi.uribl.com <http://multi.uribl.com>
>>>>>> Server:192.168.2.66
>>>>>> Address:192.168.2.66#53
>>>>>> 
>>>>>> Non-authoritative answer:
>>>>>> *** Can't find multi.uribl.com <http://multi.uribl.com>: No answer
>>>>>> 
>>>>>> albus:~ sysbh$ nslookup dwl.dnswl.org <http://dwl.dnswl.org>
>>>>>> Server:192.168.2.66
>>>>>> Address:192.168.2.66#53
>>>>>> 
>>>>>> Non-authoritative answer:
>>>>>> *** Can't find dwl.dnswl.org <http://dwl.dnswl.org>: No answer
>>>>>> 
>>>>>> So, why is rspamd reporting this? What does it mean?
>>>>> 
>>>>> If you have Unbound set up on the same machine, add this:
>>>>> 
>>>>> # local.d/options.inc
>>>>> dns {
>>>>> nameserver = ["127.0.0.1"];
>>>>> }
>>>>> 
>>>>> Good luck,
>>>>> Reio
>>>> 
>>>> Before I do something like this, I’d like to understand why this should help. As /etc/resolv.conf contains entries that let rspamd end up with the same unbound or another good DNS
>>>> 
>>>> search rna.nl <http://rna.nl>
>>>> nameserver 192.168.2.66
>>>> nameserver 192.168.2.67
>>>> nameserver 8.8.8.8
>>> 
>>> You started with: " I was busy installing rspamd on a machine where I have unbound set up."
>>> 
>>> Assuming you have unbound set up locally, you need to let Rspamd know about it by setting the local nameserver in options.inc.
>> 
>> This doesn’t fix my issue, I think I do not fully understand what is going on. Just that rspamd really needs some specifics in termns of DNS and I’m apparently not providing that.
>> 
>> So with this
>> 
>> dns {
>>   nameserver = "127.0.0.1";
>> }
>> 
>> in local.d/options.inc, I get on reload:
>> 
>> 2019-12-28 17:47:20 #16267(controller) <gp88ff>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com (127.0.0.1 returned), possibly due to high volume
>> 2019-12-28 17:47:20 #16267(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org while 'no records with this name' was expected when querying for 'TTE6_6BJCREYADp1do_TGob69-N7R.dwl.dnswl.org'(likely DNS spoofing or BL internal issues)
>> 
>> My unbound config says:
>> forward-zone: 
>>       name: "."
>>       # Quad9 phising/malware site blocking DNS 9.9.9.9
>>       forward-addr: 9.9.9.9
>>       # Quad9 2nd DNS
>>       forward-addr: 149.112.112.112
>>       # Fallback if Quad9 is out: Google:
>>       # forward-addr: 8.8.4.4
>> 
>> There is something in my DNS setup that rspamd doesn’t like, but what is it? The forwarding to public DNS in general?
>> 
>> Thanks,
>> 
>> Gerben Wierda
>> Chess and the Art of Enterprise Architecture <http://enterprisechess.com/>
>> Mastering ArchiMate <http://masteringarchimate.com/>
>> Architecture for Real Enterprises <https://www.infoworld.com/blog/architecture-for-real-enterprises/> at InfoWorld
>> On Slippery Ice <https://eapj.org/on-slippery-ice/> at EAPJ
>> 
>> -- 
>> Users mailing list
>> Users at lists.rspamd.com
>> https://lists.rspamd.com/mailman/listinfo/users
> 
> -- 
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users