The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DNS implications to modifying resolv.conf

Discussion in 'Bind / DNS / Nameserver Issues' started by keat63, Jan 28, 2015.

  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    My daughter gets about 5 spammy emails per day, all loosely based on the same subject.
    They are obviously coming from the same source, as the opt out info contains the same address.
    However, i'm pretty sure that the opt out is probably a lie, as each email comes from a different domain.
    I don't trust that opting out works with these spammers, and that they will just continue to spam from the other (who knows how many) domains they have.

    I'm trying to block these at filter level, and looking in the headers this morning found this

    0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
    See
    http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
    for more information.
    URIs: www.gov.uk

    So I ran the following command
    host -t TXT 2.0.0.127.multi.uribl.com

    Which produces:

    2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: xxx.xxx.xxx.251]"
    (on the same subnet, but not mine)

    I've since edited etc/resolv.conf and added my own name servers to the top of the list, which produces 2.0.0.127.multi.uribl.com descriptive text "permanent testpoint

    Are there any serious DNS implications to modifying resolv.conf
     
    #1 keat63, Jan 28, 2015
    Last edited: Jan 28, 2015
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Have you considered creating a filter based on the message subject instead? Otherwise, you may find the following thread helpful if you want to use your own name servers as resolvers:

    Setup Own DNS Resolvers

    Thank you.
     
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    The message subject is always different.
    And they appear to have at least 12 different domains, maybe more.
    The email consists of HTML code, so repetitive filterable data is not shown in the headers or body.
    It's always related to health insurance, which I could no doubt block.

    as for setting up my own DNS resolver, that thread just confused me
     
    #3 keat63, Jan 28, 2015
    Last edited: Jan 28, 2015
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I don't advise setting up your server as a DNS resolver and adding it to the /etc/resolv.conf. Have you implemented any RBL blacklist options available in WHM?

    Thank you.
     
  5. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I do have SpamCop and SpamHaus configured.

    And i've created a rule in the short term to block these.

    However, my technical question was really regarding the connection refused from multi.uribl.com

    From what i can make out, each IP address has a certain amount of daily multi.uribl.com connection requests.
    When these have been exhausted, all subsequent requests for that day are rejected.

    Because my data centers dns is apparently being resolved as doing the requests, i'm sharing it with who knows how many others, so no doubt it's exhausting it's daily limit.
    Other than hosting my own DNS resolver, is there any way around this ?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Setting up your own DNS resolvers or configuring your cPanel server as a DNS resolver is really the only way around this.

    Thank you.
     
  7. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Which you don't advise :)

    I take it, there is no config in Spam Assassin which would tell multi.uribl.com where the request originated.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Right, I don't believe there are any configuration changes you can make to have the list see the specific server as opposed to the resolver IP address. I'm not saying you can't make your own server a resolver, but remember to configure the "allow-recursion" directive when doing so. EX:

    Setting up own DNS resolvers

    Thank you.
     
  9. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Did a little more reading up on this, and think i may have a chaching name server already configured.
    My server is a name server.
    Spam Assassin talks about installing Bind, which I already have installed.
    So i made some changes in Resolver Config.
    I'll run it over the weekend and see what comes of it.
     
  10. nyoman

    nyoman Active Member

    Joined:
    Nov 25, 2008
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Hi all...

    I make a test on the server to use a URIBL too

    And on first day i got this on the header

    And after a few days, now i got this:

    Is that mean, my server can access/use URIBL list ?

    Thanks
     
  11. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Nyoman

    As i understand it, The IP associated with your DNS resolver has a set number of connections to URIBL per day.
    Because you probably share the DNS resolver with hundreds more other servers or vps, then the limit is being eaten up.
    Once the daily limit is eaten up, no more connections from that IP are allowed.

    There are tests you can perform at ssh.
    host -t TXT 2.0.0.127.multi.uribl.com
    which will show you if you are being blocked and which DNS resolver is performing the queries.
     
  12. nyoman

    nyoman Active Member

    Joined:
    Nov 25, 2008
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Thanks keat63 for the answer

    I share my own DNS for 2 server (dedicated) only, currently when i test i got a permanent testpoint

    root@elite:[~] # host -t TXT 2.0.0.127.multi.uribl.com
    2.0.0.127.multi.uribl.com descriptive text "permanent testpoint"
     
  13. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Bind as a caching nameserver, connection refused messages.

    For about a week, i've been researching the issue with Spam Assassin not being able to connect to URIBL.
    ( 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.)

    The general consensus is to create a cached name server, which it transpires "bind" already is.
    And my server acts as my name server.
    So I changed the resolvers in WHM/Resolver Config, restarted DNS, Exim and Spamd.

    It seems that the Spam Assassin errors connecting to URIBL have now diminished, but I am seeing the occasional connection refused resolving error in the message log.

    named[3549]: error (connection refused) resolving 'someone-i-know.co.uk/MX/IN': xxx.xxx.xx.xx#53

    Considering the above message indicated a domain that we actually deal with, and as it's MX related i'm assuming this was failing to connect during an email transmission. I've temporarily had to roll back.

    Any pointers that I might be missing something fundamental ?
    It was only running about 24 hours, I understand DNS takes time to propagate, maybe 24 hours just wasn't enough ?
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Re: Bind as a caching nameserver, connection refused messages.

    I did find the following website that you may find helpful:

    URIBL.COM - Realtime URI Blacklist

    Here is a snippet:

    As far as the error message you reported, was that for a remote domain name? Did you try running the "dig" command to verify if the issue continued after that message (it's possible that it was a temporary connection issue with the remote server)?

    Thank you.
     
  15. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    To be fair, i don't even know what dig is.
    I saw the error in one of my logs, and could see that it was related to a very important business associate, so i jumped ship and rolled back.
    Spam is my pet hate, so i do need to look in to this in more depth, but making changes like this can only really happen at the weekend when i'm at home.
     
  16. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  17. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    @keat63: What is your long time experience with your own resolver? Did you use your cpanel dnsonly servers? Or did you add a additional server dedicated to resolving?

    @cPanelMichael: A fresh thread or FAQ about setting up a dedicated resolver or reconfiguring the cpanel dns only servers would be good. It would be better if WHM would offer a way to change the resolvers for the activated RBLs.
    That might would make it possible, to use the resolver of the ISP/Datacenter for all queries except the one for RBLs.

    When using two or more DNSonly, the local BIND or other DNSdaemons are deactivated.
    Which of the different solutions described in this article http://wiki.apache.org/spamassassin/CachingNameserver can be implemented in future cpanel releases, to allow the usage of different resolvers?
     
  18. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Queries to URIBLs are done through SpamAssassin, not the configured RBLs in Exim.

    If you want those queries to be successful, you almost always have to use nameservers other than public resolvers. Using Google, OpenDNS or other public resolvers likely will yield the same bad results.

    If you are running SpamAssassin 3.4, you can add the "dns_server" directive to your /etc/mail/spamassassin/local.cf file, specifying the nameservers that you want SpamAssassin to use for its queries -- that way you can leave /etc/resolv.conf alone.

    If you do add the dns_server directive in local.cf, be sure to restart spamd.


    See: http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html

    dns_server ip-addr-port (default: entries provided by NetDNS)

    Specifies an IP address of a DNS server, and optionally its port number. The dns_server directive may be specified multiple times, each entry adding to a list of available resolving name servers. The ip-addr-port argument can either be an IPv4 or IPv6 address, optionally enclosed in brackets, and optionally followed by a colon and a port number. In absence of a port number a standard port number 53 is assumed. When an IPv6 address is specified along with a port number, the address must be enclosed in brackets to avoid parsing ambiguity regarding a colon separator. A scoped link-local IP address is allowed (assuming underlying modules allow it).

    Examples : dns_server 127.0.0.1 dns_server 127.0.0.1:53 dns_server [127.0.0.1]:53 dns_server [::1]:53 dns_server fe80::1%lo0 dns_server [fe80::1%lo0]:53

    In absence of dns_server directives, the list of name servers is provided by NetDNS module, which typically obtains the list from /etc/resolv.conf, but this may be platform dependent. Please consult the NetDNS::Resolver documentation for details.
     
Loading...

Share This Page