Re: AskDNS with a DNAME

[John Hardin]

On Sun, 28 Feb 2021, RW wrote:

On Sun, 28 Feb 2021 07:42:42 -0800 (PST)
John Hardin wrote:
On Sun, 28 Feb 2021, Michael Grant wrote:

I've traced through the AskDNS plugin and it's definitely only
looking at the first response that gets returned in this case.  I
also tried a regex submatch like:

askdns   RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.localhost A
/127.0.0.2/

and still not working.  The AskDNS code which loops through the
result only looks at the alias result that's returned.

I would indeed characterize that as a bug in the AskDNS plugin. The
fact that it is an alias is not useful information to the evaluation
of the message's spamminess, and the information that *is* useful -
critical, in fact - is being discarded.

Please open a bugzilla ticket for this.

There is already a very similar one:

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7875

Ok, good.

The AskDNS plugin code on trunk has had several changes that have not been 
merged to the 3.4 branch for release.

I just ran a quick test on trunk with an askdns rule for a host that is a 
CNAME and it appeared to work properly - it went through all the 
responses and the rule did hit on the final resolved IP address.

Feb 28 08:18:40.625 [29038] dbg: dns: bgread: received 860 bytes from 10.1.0.254
Feb 28 08:18:40.628 [29038] dbg: dns: dns reply 39497 is OK, 2 answer records
Feb 28 08:18:40.628 [29038] dbg: askdns: answer received (__ASKDNS_DNAME_TEST), rcode NOERROR, query IN/A/ftp.impsec.org, answer 
has 2 records
Feb 28 08:18:40.628 [29038] dbg: askdns: rr_type = CNAME
Feb 28 08:18:40.628 [29038] dbg: askdns: rr_type = A
Feb 28 08:18:40.628 [29038] dbg: askdns: domain "ftp.impsec.org" listed 
(__ASKDNS_DNAME_TEST): 108.161.139.220

I don't know whether these changes, or just the recommended fix in 7875, 
will make it into the pending 3.4 release.

Michael, you might consider using trunk for your SA install, or if that's 
too risky, potentially pulling just the AskDNS plugin from trunk.


--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org                         pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Are you a mildly tech-literate politico horrified by the level of
  ignorance demonstrated by lawmakers gearing up to regulate online
  technology they don't even begin to grasp? Cool. Now you have a
  tiny glimpse into a day in the life of a gun owner.   -- Sean Davis
-----------------------------------------------------------------------
 14 days until Albert Einstein's 142nd Birthday