Re: spamassassin and caching nameservers

2016-08-23 Thread Kim Roar Foldøy Hauge 

On Tue, 23 Aug 2016, Alex wrote:


Hi,

On Mon, Aug 22, 2016 at 11:52 PM, Bill Cole
 wrote:

On 22 Aug 2016, at 21:15, Alex wrote:


Is it a full-fledged nameserver, suitable enough for MX, A, TXT,
queries, etc for this purpose?


Nope. rbldnsd is only an authoritative server and does not do any resolution
via other servers or caching of records for which it is not authoritative.



Some of the confusion about rbldnsd MIGHT stem from the following page:

https://wiki.apache.org/spamassassin/CachingNameserver

Specifically the section: Installing rbldnsd as a Caching Nameserver

The caching there isn't really caching. It's serving from local copies of 
rsynced blacklists. It doesn't help that the page which it links to for 
a guide, is hosted on a server that is down.


--
Kim Roar Foldøy Hauge
Event:Presse - The Gathering 2016
webmas...@samfunnet.no
Root@HC,HX,JH,LZ,OT,P,VH

Re: spamassassin and caching nameservers

2016-08-23 Thread Alex 
Hi,

On Mon, Aug 22, 2016 at 11:52 PM, Bill Cole
 wrote:
> On 22 Aug 2016, at 21:15, Alex wrote:
>
>> Is it a full-fledged nameserver, suitable enough for MX, A, TXT,
>> queries, etc for this purpose?
>
> Nope. rbldnsd is only an authoritative server and does not do any resolution
> via other servers or caching of records for which it is not authoritative.
>
> If you have some solid reason to believe that the problem is BIND (which
> seems unlikely to me...) it might be a good idea to analyze exactly what the
> mechanics of the problem are and pick alternative software which is designed
> to be a caching recursive resolver AND which won't have exactly the same
> problem(s).

Yes, I'm learning that about rbldnsd now too.

I also agree about bind - it's always performed well, and it's a
perfectly robust box that it was running on, so I confused about the
problem. I also really didn't want to introduce another application
unique to this one box.

It looks like I've isolated the problem down to a configuration error
on the system that was making one of the backup nameservers
unreachable, resulting in some query timeouts.

Thanks,
Alex

Re: spamassassin and caching nameservers

2016-08-22 Thread Bill Cole 

On 22 Aug 2016, at 21:15, Alex wrote:


Is it a full-fledged nameserver, suitable enough for MX, A, TXT,
queries, etc for this purpose?


Nope. rbldnsd is only an authoritative server and does not do any 
resolution via other servers or caching of records for which it is not 
authoritative.


If you have some solid reason to believe that the problem is BIND (which 
seems unlikely to me...) it might be a good idea to analyze exactly what 
the mechanics of the problem are and pick alternative software which is 
designed to be a caching recursive resolver AND which won't have exactly 
the same problem(s).


One example of a pure caching recursive resolver is Unbound. It might 
meet your needs and it definitely is simpler to configure than BIND 
because it (like rbldnsd) is focused on a narrow subset of the broad 
range of functions done by things we call nameservers, whereas BIND is 
designed to do anything anyone might reasonably want a nameserver to do. 
I run mail systems using a mix of Unbound and BIND for local caching, 
and I can't see any reason to believe that BIND performs objectively 
worse than Unbound in that role. One nice thing about BIND is that you 
can make it log profusely so that you can figure out whee the delays are 
in doing a particular query. My bet would be that what you're seeing 
isn't BIND being slow, but rather an external issue. 2 common problems:


1. Live IPv6 interfaces on a machine with no or very poor IPv6 
connectivity. In this circumstance, BIND running without the "-4" option 
(or Unbound with its default do-ip6=yes) will sometimes try to query an 
IPv6 authoritative nameserver for a name, eventually time out and then 
try an IPv4 nameserver. This is particularly pernicious in circumstances 
where you have one hop of IPv6 connectivity but your provider doesn't 
really have robust IPv6 connectivity and so you can't get to some 
places, often intermittently and variably.


2. Many cable providers these days hijack DNS queries by default for 
mostly sleazy but perfectly legal reasons, often justifying the practice 
with hand-waving about security (i.e. saving users from themselves by 
not resolving the names of miscreant domains.) This causes direct 
intentional breakage that often manifests as queries that time out (they 
should 'SERVFAIL' "bad" names but some do not.) It also can cause 
bottlenecks at the provider's hijacking routers and/or DNS servers 
(particularly during peak times) exacerbated by UDP being unreliable by 
design.


Could BIND itself be the culprit? Sure, it COULD, but it's not a good 
default scapegoat for sporadic timeouts in a local caching resolver.

Re: spamassassin and caching nameservers

2016-08-22 Thread Shawn Bakhtiar 
Not sure if this helps but I use bind dlz with a mysql back-end as DNSBL of 
last resort. We get the IP addresses from honeypot emails, and it works pretty 
good. I have a daemon running in the background that uses a few intermediary 
tables with metrics like last seen, rate, total count, etc.. to make the final 
zone table which Sendmail queries (or SA if you wish).

http://bind-dlz.sourceforge.net/mysql_driver.html

How you populate the backend table is up to you. I’m sure there are lists you 
can download to populate the data, mitigating the need to make the DNS query, 
but I don’t use this as the first line of defense, it is our last line of 
defense before we engage SA.


On Aug 22, 2016, at 7:04 PM, Rob McEwen 
> wrote:

On 8/22/2016 9:15 PM, Alex wrote:
Has anyone configured it as a local caching nameserver, and if so,
could you share your config?

Correct me if I'm wrong... but...

I'm almost positive that rbldnsd acts ONLY as an authoritative name server, and 
not ever as a caching name server. I don't think there is functionality to 
either fetch root hints or to do catch-all forwarding to an upstream DNS server 
for just any host names. Instead, it only serves up the zones that it is 
specifically told to serve at startup, using the physical source data files to 
which those zones point.

It was designed from the ground up only to serve as a dumbed down locally 
hosted DNS, only for serving DNSBLs where the data files are found locally. It 
makes up for the lack of more extensive DNS features with blazing speed and 
very low memory overhead.

--
Rob McEwen

Re: spamassassin and caching nameservers

2016-08-22 Thread Rob McEwen 

On 8/22/2016 9:15 PM, Alex wrote:

Has anyone configured it as a local caching nameserver, and if so,
could you share your config?


Correct me if I'm wrong... but...

I'm almost positive that rbldnsd acts ONLY as an authoritative name 
server, and not ever as a caching name server. I don't think there is 
functionality to either fetch root hints or to do catch-all forwarding 
to an upstream DNS server for just any host names. Instead, it only 
serves up the zones that it is specifically told to serve at startup, 
using the physical source data files to which those zones point.


It was designed from the ground up only to serve as a dumbed down 
locally hosted DNS, only for serving DNSBLs where the data files are 
found locally. It makes up for the lack of more extensive DNS features 
with blazing speed and very low memory overhead.


--
Rob McEwen

Re: spamassassin and caching nameservers

2016-08-22 Thread Marc Perkel 
For what it's worth I use PowerDNS for a recursive nameserver and happy 
with it. Very easy to set up.


On 08/22/16 18:15, Alex wrote:

Hi all,
I've just set up spamassassin on a cable connection that appears to
have sporadic DNS timeouts using bind. It shouldn't be so slow that
queries timeout, but apparently they are. I'm hoping rbldnsd would
provide that additional responsiveness needed.

I've set up rbldnsd before, to be used as a way to query a local RBL.
Has anyone configured it as a local caching nameserver, and if so,
could you share your config?

I'd like it to listen on localhost/53 in place of bind and I would
think I would need the root zones in there somewhere, but there
doesn't appear to be many examples of doing this out there to
reference.

Is it a full-fledged nameserver, suitable enough for MX, A, TXT,
queries, etc for this purpose?

Thanks,
Alex




--
Marc Perkel - Sales/Support
supp...@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400

spamassassin and caching nameservers

2016-08-22 Thread Alex 
Hi all,
I've just set up spamassassin on a cable connection that appears to
have sporadic DNS timeouts using bind. It shouldn't be so slow that
queries timeout, but apparently they are. I'm hoping rbldnsd would
provide that additional responsiveness needed.

I've set up rbldnsd before, to be used as a way to query a local RBL.
Has anyone configured it as a local caching nameserver, and if so,
could you share your config?

I'd like it to listen on localhost/53 in place of bind and I would
think I would need the root zones in there somewhere, but there
doesn't appear to be many examples of doing this out there to
reference.

Is it a full-fledged nameserver, suitable enough for MX, A, TXT,
queries, etc for this purpose?

Thanks,
Alex