[Rspamd-Users] Local DNS requirements for rspamd? Was: Newbie: What does this log message mean?
Gerben Wierda
gerben.wierda at rna.nl
Sat Dec 28 21:33:53 UTC 2019
Thank you.
I’ve put a second unbound in on port 5353 which doesn’t use forwarders and the error messages have gone.
Gerben Wierda
Chess and the Art of Enterprise Architecture <http://enterprisechess.com/>
Mastering ArchiMate <http://masteringarchimate.com/>
Architecture for Real Enterprises <https://www.infoworld.com/blog/architecture-for-real-enterprises/> at InfoWorld
On Slippery Ice <https://eapj.org/on-slippery-ice/> at EAPJ
> On 28 Dec 2019, at 19:11, Hans van Eijsden Photography via Users <users at lists.rspamd.com> wrote:
>
> Hi Gerben,
>
> Yes, the forwarding to public DNS in general.
> Just let unbound query the root DNS servers, like it does as default. Eventually you can set up unbound on a different port (I use port 5353) and point rspamd to that port.
>
> My unbound config:
>
> =======
>
> # Unbound configuration file for Debian.
> #
> # See the unbound.conf(5) man page.
> #
> # See /usr/share/doc/unbound/examples/unbound.conf for a commented
> # reference config file.
> #
> # The following line includes additional configuration files from the
> # /etc/unbound/unbound.conf.d directory.
> include: "/etc/unbound/unbound.conf.d/*.conf"
> port: 5353
> prefetch: yes
> num-threads: 4
> msg-cache-slabs: 8
> rrset-cache-slabs: 8
> infra-cache-slabs: 8
> key-cache-slabs: 8
> rrset-cache-size: 256m
> msg-cache-size: 128m
> so-rcvbuf: 1m
> so-reuseport: yes
> statistics-interval: 0
> statistics-cumulative: no
> extended-statistics: yes
> #forward-zone:
> # name: "."
> # forward-addr: 1.1.1.1
> # forward-addr: 1.0.0.1
> python:
> remote-control:
> control-enable: yes
> server:
> qname-minimisation: yes
> auto-trust-anchor-file: "/var/lib/unbound/root.key"
>
> =======
>
> So, no forward zone specified.
>
>
> Best regards / Met vriendelijke groet,
>
> <https://www.hansvaneijsden.com/>
> Hans van Eijsden / Pro Photographer & Retoucher
>
> Hans van Eijsden Photography
> Staatssecretarislaan 232
> 8015 DB Zwolle, The Netherlands
> +31 (0)38 23 00 648
>
> KvK-nr.: 62551396
> Btw-nr.: NL 1820 26 164 B01
> IBAN: NL20 SNSB 0908 9490 65
> www.hansvaneijsden.com <https://www.hansvaneijsden.com/>
> <https://twitter.com/hansvaneijsden> <https://www.facebook.com/hansvaneijsdenphotography/> <https://plus.google.com/+HansvanEijsdenNL> <http://www.linkedin.com/in/hansvaneijsden> <http://instagram.com/hansvaneijsden> <skype:hansheino?call> <https://www.youtube.com/user/hansvaneijsden> <https://www.flickr.com/hansvaneijsden/> <https://500px.com/hansvaneijsden> <https://pinterest.com/hansvaneijsden/>
> Sent from my iPhone
>
>
>> Op 28 dec. 2019, om 18:13 heeft Gerben Wierda <gerben.wierda at rna.nl> het volgende geschreven:
>>
>>> On 24 Dec 2019, at 11:01, Reio Remma via Users <users at lists.rspamd.com> wrote:
>>>
>>> On 23.12.2019 14:53, Gerben Wierda wrote:
>>>> On 5 Nov 2019, at 12:01, Reio Remma via Users <users at lists.rspamd.com <mailto:users at lists.rspamd.com>> wrote:
>>>>>
>>>>> On 05/11/2019 12:53, Gerben Wierda wrote:
>>>>>> I am new to rspamd. I was busy installing rspamd on a machine where I have unbound set up. In the rspamd log I noticed:
>>>>>>
>>>>>> 2019-11-03 16:14:28 #63290(controller) <3nxzfe>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com <http://multi.uribl.com> (127.0.0.1 returned), possibly due to high volume
>>>>>> 2019-11-03 16:17:29 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org <http://dwl.dnswl.org> while 'no records with this name' was expected when querying for '1.0.0.127.dwl.dnswl.org <http://dwl.dnswl.org>'(likely DNS spoofing or BL internal issues)
>>>>>> 2019-11-03 16:20:00 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com <http://www.openphish.com>, next check at Sun, 03 Nov 2019 15:25:00 GMT
>>>>>> 2019-11-03 16:26:25 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com <http://www.openphish.com>, next check at Sun, 03 Nov 2019 15:31:25 GMT
>>>>>> 2019-11-03 16:27:31 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org <http://dwl.dnswl.org> while 'no records with this name' was expected when querying for '1.0.0.127.dwl.dnswl.org <http://dwl.dnswl.org>'(likely DNS spoofing or BL internal issues)
>>>>>> 2019-11-03 16:29:50 #63290(controller) <3nxzfe>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com <http://multi.uribl.com> (127.0.0.1 returned), possibly due to high volume
>>>>>> 2019-11-03 16:31:27 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com <http://www.openphish.com>, next check at Sun, 03 Nov 2019 15:36:27 GMT
>>>>>> 2019-11-03 16:37:14 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_propagate_success: restoring dwl.dnswl.org <http://dwl.dnswl.org> after 2619.0 seconds of downtime, total downtime: 2619.0
>>>>>>
>>>>>> So, some config problem with rspamd, apparently. But what really caught my eye was
>>>>>>
>>>>>> when querying for '1.0.0.127.dwl.dnswl.org <http://dwl.dnswl.org>'(likely DNS spoofing or BL internal issues)
>>>>>>
>>>>>> But these domains are not resolvable:
>>>>>>
>>>>>> albus:~ sysbh$ nslookup multi.uribl.com <http://multi.uribl.com>
>>>>>> Server:192.168.2.66
>>>>>> Address:192.168.2.66#53
>>>>>>
>>>>>> Non-authoritative answer:
>>>>>> *** Can't find multi.uribl.com <http://multi.uribl.com>: No answer
>>>>>>
>>>>>> albus:~ sysbh$ nslookup dwl.dnswl.org <http://dwl.dnswl.org>
>>>>>> Server:192.168.2.66
>>>>>> Address:192.168.2.66#53
>>>>>>
>>>>>> Non-authoritative answer:
>>>>>> *** Can't find dwl.dnswl.org <http://dwl.dnswl.org>: No answer
>>>>>>
>>>>>> So, why is rspamd reporting this? What does it mean?
>>>>>
>>>>> If you have Unbound set up on the same machine, add this:
>>>>>
>>>>> # local.d/options.inc
>>>>> dns {
>>>>> nameserver = ["127.0.0.1"];
>>>>> }
>>>>>
>>>>> Good luck,
>>>>> Reio
>>>>
>>>> Before I do something like this, I’d like to understand why this should help. As /etc/resolv.conf contains entries that let rspamd end up with the same unbound or another good DNS
>>>>
>>>> search rna.nl <http://rna.nl>
>>>> nameserver 192.168.2.66
>>>> nameserver 192.168.2.67
>>>> nameserver 8.8.8.8
>>>
>>> You started with: " I was busy installing rspamd on a machine where I have unbound set up."
>>>
>>> Assuming you have unbound set up locally, you need to let Rspamd know about it by setting the local nameserver in options.inc.
>>
>> This doesn’t fix my issue, I think I do not fully understand what is going on. Just that rspamd really needs some specifics in termns of DNS and I’m apparently not providing that.
>>
>> So with this
>>
>> dns {
>> nameserver = "127.0.0.1";
>> }
>>
>> in local.d/options.inc, I get on reload:
>>
>> 2019-12-28 17:47:20 #16267(controller) <gp88ff>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com (127.0.0.1 returned), possibly due to high volume
>> 2019-12-28 17:47:20 #16267(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org while 'no records with this name' was expected when querying for 'TTE6_6BJCREYADp1do_TGob69-N7R.dwl.dnswl.org'(likely DNS spoofing or BL internal issues)
>>
>> My unbound config says:
>> forward-zone:
>> name: "."
>> # Quad9 phising/malware site blocking DNS 9.9.9.9
>> forward-addr: 9.9.9.9
>> # Quad9 2nd DNS
>> forward-addr: 149.112.112.112
>> # Fallback if Quad9 is out: Google:
>> # forward-addr: 8.8.4.4
>>
>> There is something in my DNS setup that rspamd doesn’t like, but what is it? The forwarding to public DNS in general?
>>
>> Thanks,
>>
>> Gerben Wierda
>> Chess and the Art of Enterprise Architecture <http://enterprisechess.com/>
>> Mastering ArchiMate <http://masteringarchimate.com/>
>> Architecture for Real Enterprises <https://www.infoworld.com/blog/architecture-for-real-enterprises/> at InfoWorld
>> On Slippery Ice <https://eapj.org/on-slippery-ice/> at EAPJ
>>
>> --
>> Users mailing list
>> Users at lists.rspamd.com
>> https://lists.rspamd.com/mailman/listinfo/users
>
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users
More information about the Users
mailing list