Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[Rob McEwen]

On 5/18/2017 5:46 PM, David Jones wrote:

it should be pretty clear now to not use a forwarding DNS server locally and
do not point the server to another DNS server in /etc/resolv.conf.


Thanks David!

Some may be interested to know at least 15% of my entire labor 
"overhead" for running invaluement - involves playing "whack a mole" (so 
to speak) with both testers and existing subscribers - whose DNS 
settings CONSTANTLY revert back to sending direct queries to invaluement 
via Google and/or OpenDNS - which are then blocked - even as the 
instructions were extremely clear about how/why not to do it that way.


In many cases, they explain to me that their settings got 
auto-overwritten by their hoster - who just HAD to switch their 
resolv.conf file back to 8.8.8.8


In some rare worst case scenarios - I have to "fire the customer", due 
to many repeated incidents where the labor involved in constantly 
babysitting their settings - was no longer worth their subscription payment.


And unfortunately there is just basically a very sizable portion of IT 
professionals in the entire world... probably hundreds of thousands of 
IT people - who have been convinced that pointing all DNS to 8.8.8.8 is 
standard operating procedure that they think is always the best way.


For me, it feels like annoying busy work. Imagine that for at least one 
hour out of your day - you have to stop what you're doing and dig a hole 
in your back yard - and then fill it back in.


So I'm grateful every time I see thread like this that pushes back 
against that, and encourages others to run industry standard 
non-forwarding caching DNS servers.


THANKS!

--
Rob McEwen
http://www.invaluement.com

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[Martin Gregorie]

On Thu, 2017-05-18 at 21:46 +, David Jones wrote:
> > From: John Hardin 
> > I think this part of the wiki page may not be stressed stongly
> > enough:
> > Non-forwarding
> > If you have a large ISP or are using large public DNS provider(s)
> > it is 
> > recommended you not forward mail-related DNS traffic through their
> > DNS 
> > servers (though non-mail DNS traffic from your site shouldn't have 
> > problems.) With bind, this means not having any "forwarders"
> > listed. Or, 
> > at a minimum, you could create exemptions by defining empty
> > forwarders for 
> > DNSBL zones, like this:
> 
> https://wiki.apache.org/spamassassin/CachingNameserver
> 
> I just simplified that page quite a bit.  It needs a little more work
> on it but it
> should be pretty clear now to not use a forwarding DNS server locally
> and do
> not point the server to another DNS server in /etc/resolv.conf.
> 
Minor correction: The Bind for RedHat section of the page needs changes
to bring it into like with the unbound instructions.

For Fedora you'd use: 

dnf install bind
systemctl enable bind
systemctl start bind

Can't comment about RHEL/CentOS


Martin

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[Bill Cole]

On 18 May 2017, at 17:05, Robert Kudyba wrote:


On May 18, 2017, at 4:41 PM, David Jones  wrote:


From: Robert Kudyba 



Am 18.05.2017 um 22:30 schrieb Reindl Harald:
"with working dnsmasq" says all - DNSMASQ DON'T DO RECURSION - IT 
CAN#T
you are forwarding to some other nameserver and you are not the 
only one



But the nameserver I’m forwarding to is in our university.


Your server needs to do it's on full recursive DNS lookups.


So dnsmasq is no longer an option?


It never was a reasonable option for anything more than a toy mail 
server on a network with real recursers that aren't shared by mail 
servers doing significant volume.


If you want a mail server to perform decently while using all the modern 
tools for fraud & spam detection (DNSBLs, SPF, DKIM, DMARC, DANE, 
requiring FCrDNS with a non-generic name, etc.) you need a fully 
recursive (never-forwarding) DNS resolver with a sizable cache on the 
same machine or at worst the same physical LAN. A substantial fraction 
of the time it takes to accept or reject a piece of mail is spent 
waiting for DNS replies, especially if you are relying on a cache that 
in on the other side of a router.



/etc/resolv.dnsmasq
search subdomain.ourschool.edu ourschool.edu
nameserver 150.108.x.yy
nameserver 150.108.y.xx


Tangent: You do know that your email address a complete Received trail 
is in your mail, right? Not much point in obfuscation...


Isn’t the point of enabling dnsmasq to cache DNS calls? I’m just 
following the
instructions at  
https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.apache.org_spamassassin_CachingNameserver-23&d=DwIFEA&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=Xfhs5TxObQNstiygWZx6rtuJIMJ_Q65ueMPfIdG6MPw&s=YjlCBF15mxOWWMeVSUh_L9Jz1s8o454zFPqUC_5chAU&e=

Installing_dnsmasq_as_a_Caching_Nameserver which BTW has a broken
link to instructions.


Evidence that the wiki does not see a lot of maintenance. There's a LOT 
of staleness there.




I see there’s rbldnsd.


ONLY if you have a way to get full copies of the zones you want, because 
rbldnsd is ONLY authoritative. It is useful if you're paying for a 
subscription to a DNSBL provider like Spamhaus, but it's NOT a 
general-purpose resolver.


On Fedora and one of our 2 servers, we run NIS & ypbind. One runs 
NetworkManager and the other just the network service. I guess I’m 
looking for the best recommendation and easy configuration without 
conflicts.


IMHO NetworkMangler doesn't belong on ANY server, but that's a rant for 
elsewhere...


Unbound is by far my favorite for pure simple caching fully-recursive 
resolvers. I use BIND as well, but only where I need complex rigs that I 
have not yet tried to implement with Unbound.


The link to http://njabl.org/rsync.html  
is broken at the moment.


It shall remain so until such time as it is removed, as NJABL is long 
dead.

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[David Jones]

>From: John Hardin 

>I think this part of the wiki page may not be stressed stongly enough:

>Non-forwarding

>If you have a large ISP or are using large public DNS provider(s) it is 
>recommended you not forward mail-related DNS traffic through their DNS 
>servers (though non-mail DNS traffic from your site shouldn't have 
>problems.) With bind, this means not having any "forwarders" listed. Or, 
>at a minimum, you could create exemptions by defining empty forwarders for 
>DNSBL zones, like this:

https://wiki.apache.org/spamassassin/CachingNameserver

I just simplified that page quite a bit.  It needs a little more work on it but 
it
should be pretty clear now to not use a forwarding DNS server locally and do
not point the server to another DNS server in /etc/resolv.conf.

Dave

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[John Hardin]

On Thu, 18 May 2017, Robert Kudyba wrote:




Am 18.05.2017 um 22:30 schrieb Reindl Harald:

"with working dnsmasq" says all - DNSMASQ DON'T DO RECURSION - IT CAN#T
you are forwarding to some other nameserver and you are not the only one


But the nameserver I’m forwarding to is in our university.


/etc/resolv.dnsmasq
search subdomain.ourschool.edu ourschool.edu
nameserver 150.108.x.yy
nameserver 150.108.y.xx

seriously - what do you think happens?
you and everybody else on planet earth using 150.xx.xx.xx are coming with the 
same IP to the DNSBL/URIBL hosts


Isn’t the point of enabling dnsmasq to cache DNS calls? I’m just 
following the instructions at 
https://wiki.apache.org/spamassassin/CachingNameserver#Installing_dnsmasq_as_a_Caching_Nameserver 
which BTW has a broken link to instructions.


I think this part of the wiki page may not be stressed stongly enough:



Non-forwarding

If you have a large ISP or are using large public DNS provider(s) it is 
recommended you not forward mail-related DNS traffic through their DNS 
servers (though non-mail DNS traffic from your site shouldn't have 
problems.) With bind, this means not having any "forwarders" listed. Or, 
at a minimum, you could create exemptions by defining empty forwarders for 
DNSBL zones, like this:


/* Disable forwarding for DNSBL queries */
zone "multi.uribl.com" { type forward; forward first; forwarders {}; };
zone "dnsbl.sorbs.net" { type forward; forward first; forwarders {}; };
zone "combined.njabl.org" { type forward; forward first; forwarders {}; };
zone "activationcode.r.mail-abuse.com" { type forward; forward first; 
forwarders {}; };
zone "nonconfirm.mail-abuse.com" { type forward; forward first; forwarders {}; 
};
zone "iadb.isipp.com" { type forward; forward first; forwarders {}; };
zone "bl.spamcop.net" { type forward; forward first; forwarders {}; };
zone "fulldom.rfc-ignorant.org" { type forward; forward first; forwarders {}; };
zone "list.dnswl.org" { type forward; forward first; forwarders {}; };
zone "blackholes.mail-abuse.org" { type forward; forward first; forwarders {}; 
};
zone "bl.score.senderscore.com" { type forward; forward first; forwarders {}; };
zone "zen.spamhaus.org" { type forward; forward first; forwarders {}; };


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  If you are "fighting for social justice," then you are defining
  yourself as someone who considers regular old everyday
  *equal* justice to be something you don't want.   -- GOF at TSM
---
 49 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[Robert Kudyba]

On May 18, 2017 5:11 PM, "Reindl Harald"  wrote:



Am 18.05.2017 um 23:05 schrieb Robert Kudyba:

>
> On May 18, 2017, at 4:41 PM, David Jones > djo...@ena.com>> wrote:
>>
>> From: Robert Kudyba mailto:rkud...@fordham.edu>>
>>>
>>
>> Am 18.05.2017 um 22:30 schrieb Reindl Harald:

> "with working dnsmasq" says all - DNSMASQ DON'T DO RECURSION - IT CAN#T
> you are forwarding to some other nameserver and you are not the only
> one
>

>> But the nameserver I’m forwarding to is in our university.
>>>
>>
>> Your server needs to do it's on full recursive DNS lookups.
>>
>
> So dnsmasq is no longer an option?
>

it was never - no dns software which needs another nameserver for it's job
is suiteable on a inbound spamfilter

I will fix this wiki page now…
>>
>
> I see there’s rbldnsd. On Fedora and one of our 2 servers, we run NIS &
> ypbind. One runs NetworkManager and the other just the network service. I
> guess I’m looking for the best recommendation and easy configuration
> without conflicts. The link to https://urldefense.proofpoint.
> com/v2/url?u=http-3A__njabl.org_rsync.html&d=DwID-g&c=aqMfXO
> EvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3
> lLNo4tOL1ry_m7-psV3GejY&m=_GpsD3DHYXO7rQ_TtNdtAq_0iO39u8Q
> BVn0morPE0hs&s=-BaByTtCkQ37-fWpZVVp9ZMa7nLIUpa8OWscKkMi3T8&e=  is broken
> at the moment
>

rbldnsd is a completly different thing and supposed to host your *own*
dnsbl zones

what you you need is a *basic* namesever just donig recursion and tell your
mailserver just use it

* get rid of other crap
* dnf install unbound
* systemctl enable unbound
* systemctl start unound
* just use your unbound on 127.0.0.1


It looks like I'll have to

   - Add the following line into /etc/NetworkManager/NetworkManager.conf

dns=unbound

or ask the idiot maintaining "I'm forwarding to is in our university" why
he is forwarding queries outside your university to google instead doing
recursion


Probably because the university uses gmail. Our department does not.

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[Robert Kudyba]

> On May 18, 2017, at 4:41 PM, David Jones  wrote:
> 
>> From: Robert Kudyba 
> 
>>> Am 18.05.2017 um 22:30 schrieb Reindl Harald:
 "with working dnsmasq" says all - DNSMASQ DON'T DO RECURSION - IT CAN#T
 you are forwarding to some other nameserver and you are not the only one
> 
>> But the nameserver I’m forwarding to is in our university.
> 
> Your server needs to do it's on full recursive DNS lookups.

So dnsmasq is no longer an option?

> 
>>> /etc/resolv.dnsmasq
>>> search subdomain.ourschool.edu ourschool.edu
>>> nameserver 150.108.x.yy
>>> nameserver 150.108.y.xx
>>> 
>>> seriously - what do you think happens?
>>> you and everybody else on planet earth using 150.xx.xx.xx are coming with
>> the same IP to the DNSBL/URIBL hosts
> 
> He's being rude but he's right.  You can't guarantee that all of the other DNS
> queries being made through your university DNS servers isn't going over the
> free limit on the URIBL DNS servers.
> 
>> Isn’t the point of enabling dnsmasq to cache DNS calls? I’m just following 
>> the
>> instructions at  
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.apache.org_spamassassin_CachingNameserver-23&d=DwIFEA&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=Xfhs5TxObQNstiygWZx6rtuJIMJ_Q65ueMPfIdG6MPw&s=YjlCBF15mxOWWMeVSUh_L9Jz1s8o454zFPqUC_5chAU&e=
>>  
>> Installing_dnsmasq_as_a_Caching_Nameserver which BTW has a broken
>> link to instructions.
> 
> I will fix this wiki page now…

I see there’s rbldnsd. On Fedora and one of our 2 servers, we run NIS & ypbind. 
One runs NetworkManager and the other just the network service. I guess I’m 
looking for the best recommendation and easy configuration without conflicts. 
The link to http://njabl.org/rsync.html  is broken 
at the moment. 

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[David Jones]

>From: Robert Kudyba 

>> Am 18.05.2017 um 22:30 schrieb Reindl Harald:
>>> "with working dnsmasq" says all - DNSMASQ DON'T DO RECURSION - IT CAN#T
>>> you are forwarding to some other nameserver and you are not the only one

>But the nameserver I’m forwarding to is in our university.

Your server needs to do it's on full recursive DNS lookups.

>> /etc/resolv.dnsmasq
>> search subdomain.ourschool.edu ourschool.edu
>> nameserver 150.108.x.yy
>> nameserver 150.108.y.xx
>> 
>> seriously - what do you think happens?
>> you and everybody else on planet earth using 150.xx.xx.xx are coming with
>the same IP to the DNSBL/URIBL hosts

He's being rude but he's right.  You can't guarantee that all of the other DNS
queries being made through your university DNS servers isn't going over the
free limit on the URIBL DNS servers.

>Isn’t the point of enabling dnsmasq to cache DNS calls? I’m just following the
>instructions at  https://wiki.apache.org/spamassassin/CachingNameserver#
> Installing_dnsmasq_as_a_Caching_Nameserver which BTW has a broken
>link to instructions.

I will fix this wiki page now...

Dave

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[David Jones]

>From: Robert Kudyba 

>host -tTXT test.uribl.com.multi.uribl.com
>test.uribl.com.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. 
>See
> http://uribl.com/refused.shtml for more information [Your DNS IP: 
> 74.125.19.15]"

>Some logs to show dnsmasq in use:
>May 17 14:23:32 ourserver dnsmasq[2336]: reading /etc/resolv.conf
>May 17 14:23:32 ourserver dnsmasq[2336]: using nameserver 150.108.x.yy#53
>May 17 14:23:32 ourserver dnsmasq[2336]: using nameserver 150.108.x.zz#53
>May 17 14:23:32 ourserver dnsmasq[2336]: reading /etc/resolv.conf
>May 17 14:23:32 ourserver dnsmasq[2336]: using nameserver 127.0.0.1#53

You can't use dnsmasq since it only forwards to other DNS servers.  You need to
use unbound, BIND, or my favorite PowerDNS recursor so that your server does
it's own full recursive DNS lookups and doesn't rely on any other servers.  When
you rely on other DNS servers, then your DNS queries will be combined with all
of the other queries pushing you over the URIBL free usages limit.

Dave

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[Robert Kudyba]

> Am 18.05.2017 um 22:30 schrieb Reindl Harald:
>> "with working dnsmasq" says all - DNSMASQ DON'T DO RECURSION - IT CAN#T
>> you are forwarding to some other nameserver and you are not the only one

But the nameserver I’m forwarding to is in our university.

> /etc/resolv.dnsmasq
> search subdomain.ourschool.edu ourschool.edu
> nameserver 150.108.x.yy
> nameserver 150.108.y.xx
> 
> seriously - what do you think happens?
> you and everybody else on planet earth using 150.xx.xx.xx are coming with the 
> same IP to the DNSBL/URIBL hosts

Isn’t the point of enabling dnsmasq to cache DNS calls? I’m just following the 
instructions at 
https://wiki.apache.org/spamassassin/CachingNameserver#Installing_dnsmasq_as_a_Caching_Nameserver
 which BTW has a broken link to instructions.

URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[Robert Kudyba]

I know this has been covered before, e.g., 
https://lists.gt.net/spamassassin/users/198845/?page=1;mh=-1; & 
https://lists.gt.net/spamassassin/users/199135 as well as off list at Ubuntu at 
https://serverfault.com/questions/644707/uribl-blocked-on-ubuntu-14-04-server-with-working-dnsmasq.
 Here’s what we’re getting on 2 Fedora 25 servers:

host -tTXT test.uribl.com.multi.uribl.com
test.uribl.com.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. 
See http://uribl.com/refused.shtml for more information [Your DNS IP: 
74.125.19.15]"
[root@storm audit]# 

Note the DNS IP is a Google IP and always changes when I run the command.

I just want to make sure I’m not missing something. NetworkManager and network 
service are running and here you can see dnsmasq running with NM:

NetworkManager.service - Network Manager
   Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; 
vendor preset: enabled)
   Active: active (running) since Wed 2017-05-17 17:07:27 EDT; 17h ago
 Docs: man:NetworkManager(8)
 Main PID: 24310 (NetworkManager)
Tasks: 4 (limit: 4915)
   CGroup: /system.slice/NetworkManager.service
   ├─24310 /usr/sbin/NetworkManager --no-daemon
   └─24468 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground 
--no-hosts --bind-interfaces --pid-file=/var/run/NetworkManager/dnsmasq.pid 
--listen-address=127.0.0.1 --cache-size=400 --conf-file=/dev/null 
--proxy-dnssec --enable-dbus=org.free

Some logs to show dnsmasq in use:
May 17 14:23:32 ourserver dnsmasq[2336]: reading /etc/resolv.conf
May 17 14:23:32 ourserver dnsmasq[2336]: using nameserver 150.108.x.yy#53
May 17 14:23:32 ourserver dnsmasq[2336]: using nameserver 150.108.x.zz#53
May 17 14:23:32 ourserver dnsmasq[2336]: reading /etc/resolv.conf
May 17 14:23:32 ourserver dnsmasq[2336]: using nameserver 127.0.0.1#53

cat /etc/resolv.conf
# Generated by NetworkManager
search subdomain.ourdomain.edu
nameserver 127.0.0.1

dns=dnsmasq is set in the [main] section of 
/etc/NetworkManager/NetworkManager.conf 

And some digs to show before/after:
dig www.google.co.nz

; <<>> DiG 9.10.4-P8-RedHat-9.10.4-5.P8.fc25 <<>> www.google.co.nz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50850
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;www.google.co.nz.  IN  A

;; ANSWER SECTION:
www.google.co.nz.   299 IN  A   172.217.10.67

;; Query time: 20 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 18 10:52:59 EDT 2017
;; MSG SIZE  rcvd: 61

[root@storm audit]# dig www.google.co.nz

; <<>> DiG 9.10.4-P8-RedHat-9.10.4-5.P8.fc25 <<>> www.google.co.nz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53814
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.co.nz.  IN  A

;; ANSWER SECTION:
www.google.co.nz.   297 IN  A   172.217.10.67

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 18 10:53:01 EDT 2017
;; MSG SIZE  rcvd: 61


host -tA 2.0.0.127.multi.uribl.com
2.0.0.127.multi.uribl.com has address 127.0.0.1

/etc/dnsmasq.conf
port=0
resolv-file=/etc/resolv.dnsmasq
strict-order
no-dhcp-interface=enp7s0f0
bind-interfaces
listen-address=127.0.0.1,150.108.xx.yy,127.0.1.1
interface=enp7s0f0
domain=ourdomain.ourschool.edu

/etc/resolv.dnsmasq 
search subdomain.ourschool.edu ourschool.edu
nameserver 150.108.x.yy
nameserver 150.108.y.xx

 /etc/resolv.conf
# Generated by NetworkManager
search subdomain.ourschool.edu
nameserver 127.0.0.1

Am I missing something?