Show Posts
1
General Discussion / unbound returns from DNSBLs
« on: September 07, 2018, 01:05:48 am »
Hi,
I have been gradually making changes to my opnsense configuration since upgrading from t1n1wall and I aim to keep opnsense as an appliance.
I recently changed from using dnsmasq forwarding to 202.68.86.122 and 210.48.65.1 to using unbound as a first as a forwarding and then recursive nameserver and I find that it does not return results suitable for a mailserver that uses DNSBLs - see <https://www.spamhaus.org/faq/section/DNSBL%20Usage#366> for explanation.
192.168.2.1 is my OPNsense/Unbound nameserver:
root@ikaroa:~# host 2.0.0.127.zen.spamhaus.org 192.168.2.1
Using domain server:
Name: 192.168.2.1
Address: 192.168.2.1#53
Aliases:
root@ikaroa:~# host 1.0.0.127.zen.spamhaus.org 192.168.2.1
Using domain server:
Name: 192.168.2.1
Address: 192.168.2.1#53
Aliases:
Host 1.0.0.127.zen.spamhaus.org not found: 3(NXDOMAIN)
Unbound does not send back the correct results for 2.0.0.127.zen.spamhaus.org
If I repeat the test against any of the forwarders I have used in the past, I get the correct response :
root@ikaroa:~# host 2.0.0.127.zen.spamhaus.org 202.68.86.122
Using domain server:
Name: 202.68.86.122
Address: 202.68.86.122#53
Aliases:
2.0.0.127.zen.spamhaus.org has address 127.0.0.4
2.0.0.127.zen.spamhaus.org has address 127.0.0.10
2.0.0.127.zen.spamhaus.org has address 127.0.0.2
root@ikaroa:~# host 1.0.0.127.zen.spamhaus.org 202.68.86.122
Using domain server:
Name: 202.68.86.122
Address: 202.68.86.122#53
Aliases:
Host 1.0.0.127.zen.spamhaus.org not found: 3(NXDOMAIN)
The correct results are really important for a properly working mailserver - currently I have my forwarding to the working nameservers.
These results are the same no matter if Unbound is recursive or forwarding. I have DNSSEC enabled but it makes no difference.
I would really appreciate any help here!
Below I have added the verbose responses for 2.0.0.127.zen.spamhaus.org :
root@ikaroa:~# host -v 2.0.0.127.zen.spamhaus.org 192.168.2.1
Trying "2.0.0.127.zen.spamhaus.org"
Using domain server:
Name: 192.168.2.1
Address: 192.168.2.1#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3734
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;2.0.0.127.zen.spamhaus.org. IN A
Received 44 bytes from 192.168.2.1#53 in 568 ms
Trying "2.0.0.127.zen.spamhaus.org"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23743
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;2.0.0.127.zen.spamhaus.org. IN AAAA
;; AUTHORITY SECTION:
zen.spamhaus.org. 9 IN SOA need.to.know.only. hostmaster.spamhaus.org. 1809062246 3600 600 432000 10
Received 108 bytes from 192.168.2.1#53 in 410 ms
Trying "2.0.0.127.zen.spamhaus.org"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18129
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;2.0.0.127.zen.spamhaus.org. IN MX
;; AUTHORITY SECTION:
zen.spamhaus.org. 8 IN SOA need.to.know.only. hostmaster.spamhaus.org. 1809062246 3600 600 432000 10
Received 108 bytes from 192.168.2.1#53 in 1233 ms
root@ikaroa:~# host -v 2.0.0.127.zen.spamhaus.org 202.68.86.122
Trying "2.0.0.127.zen.spamhaus.org"
Using domain server:
Name: 202.68.86.122
Address: 202.68.86.122#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23399
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 0
;; QUESTION SECTION:
;2.0.0.127.zen.spamhaus.org. IN A
;; ANSWER SECTION:
2.0.0.127.zen.spamhaus.org. 60 IN A 127.0.0.2
2.0.0.127.zen.spamhaus.org. 60 IN A 127.0.0.4
2.0.0.127.zen.spamhaus.org. 60 IN A 127.0.0.10
;; AUTHORITY SECTION:
zen.spamhaus.org. 391 IN NS a.gns.spamhaus.org.
zen.spamhaus.org. 391 IN NS c.gns.spamhaus.org.
zen.spamhaus.org. 391 IN NS b.gns.spamhaus.org.
zen.spamhaus.org. 391 IN NS e.gns.spamhaus.org.
zen.spamhaus.org. 391 IN NS d.gns.spamhaus.org.
Received 176 bytes from 202.68.86.122#53 in 158 ms
Trying "2.0.0.127.zen.spamhaus.org"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7804
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;2.0.0.127.zen.spamhaus.org. IN AAAA
;; AUTHORITY SECTION:
zen.spamhaus.org. 10 IN SOA need.to.know.only. hostmaster.spamhaus.org. 1809062302 3600 600 432000 10
Received 108 bytes from 202.68.86.122#53 in 155 ms
Trying "2.0.0.127.zen.spamhaus.org"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1178
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;2.0.0.127.zen.spamhaus.org. IN MX
;; AUTHORITY SECTION:
zen.spamhaus.org. 10 IN SOA need.to.know.only. hostmaster.spamhaus.org. 1809062302 3600 600 432000 10
Received 108 bytes from 202.68.86.122#53 in 148 ms
I have been gradually making changes to my opnsense configuration since upgrading from t1n1wall and I aim to keep opnsense as an appliance.
I recently changed from using dnsmasq forwarding to 202.68.86.122 and 210.48.65.1 to using unbound as a first as a forwarding and then recursive nameserver and I find that it does not return results suitable for a mailserver that uses DNSBLs - see <https://www.spamhaus.org/faq/section/DNSBL%20Usage#366> for explanation.
192.168.2.1 is my OPNsense/Unbound nameserver:
root@ikaroa:~# host 2.0.0.127.zen.spamhaus.org 192.168.2.1
Using domain server:
Name: 192.168.2.1
Address: 192.168.2.1#53
Aliases:
root@ikaroa:~# host 1.0.0.127.zen.spamhaus.org 192.168.2.1
Using domain server:
Name: 192.168.2.1
Address: 192.168.2.1#53
Aliases:
Host 1.0.0.127.zen.spamhaus.org not found: 3(NXDOMAIN)
Unbound does not send back the correct results for 2.0.0.127.zen.spamhaus.org
If I repeat the test against any of the forwarders I have used in the past, I get the correct response :
root@ikaroa:~# host 2.0.0.127.zen.spamhaus.org 202.68.86.122
Using domain server:
Name: 202.68.86.122
Address: 202.68.86.122#53
Aliases:
2.0.0.127.zen.spamhaus.org has address 127.0.0.4
2.0.0.127.zen.spamhaus.org has address 127.0.0.10
2.0.0.127.zen.spamhaus.org has address 127.0.0.2
root@ikaroa:~# host 1.0.0.127.zen.spamhaus.org 202.68.86.122
Using domain server:
Name: 202.68.86.122
Address: 202.68.86.122#53
Aliases:
Host 1.0.0.127.zen.spamhaus.org not found: 3(NXDOMAIN)
The correct results are really important for a properly working mailserver - currently I have my forwarding to the working nameservers.
These results are the same no matter if Unbound is recursive or forwarding. I have DNSSEC enabled but it makes no difference.
I would really appreciate any help here!
Below I have added the verbose responses for 2.0.0.127.zen.spamhaus.org :
root@ikaroa:~# host -v 2.0.0.127.zen.spamhaus.org 192.168.2.1
Trying "2.0.0.127.zen.spamhaus.org"
Using domain server:
Name: 192.168.2.1
Address: 192.168.2.1#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3734
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;2.0.0.127.zen.spamhaus.org. IN A
Received 44 bytes from 192.168.2.1#53 in 568 ms
Trying "2.0.0.127.zen.spamhaus.org"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23743
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;2.0.0.127.zen.spamhaus.org. IN AAAA
;; AUTHORITY SECTION:
zen.spamhaus.org. 9 IN SOA need.to.know.only. hostmaster.spamhaus.org. 1809062246 3600 600 432000 10
Received 108 bytes from 192.168.2.1#53 in 410 ms
Trying "2.0.0.127.zen.spamhaus.org"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18129
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;2.0.0.127.zen.spamhaus.org. IN MX
;; AUTHORITY SECTION:
zen.spamhaus.org. 8 IN SOA need.to.know.only. hostmaster.spamhaus.org. 1809062246 3600 600 432000 10
Received 108 bytes from 192.168.2.1#53 in 1233 ms
root@ikaroa:~# host -v 2.0.0.127.zen.spamhaus.org 202.68.86.122
Trying "2.0.0.127.zen.spamhaus.org"
Using domain server:
Name: 202.68.86.122
Address: 202.68.86.122#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23399
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 0
;; QUESTION SECTION:
;2.0.0.127.zen.spamhaus.org. IN A
;; ANSWER SECTION:
2.0.0.127.zen.spamhaus.org. 60 IN A 127.0.0.2
2.0.0.127.zen.spamhaus.org. 60 IN A 127.0.0.4
2.0.0.127.zen.spamhaus.org. 60 IN A 127.0.0.10
;; AUTHORITY SECTION:
zen.spamhaus.org. 391 IN NS a.gns.spamhaus.org.
zen.spamhaus.org. 391 IN NS c.gns.spamhaus.org.
zen.spamhaus.org. 391 IN NS b.gns.spamhaus.org.
zen.spamhaus.org. 391 IN NS e.gns.spamhaus.org.
zen.spamhaus.org. 391 IN NS d.gns.spamhaus.org.
Received 176 bytes from 202.68.86.122#53 in 158 ms
Trying "2.0.0.127.zen.spamhaus.org"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7804
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;2.0.0.127.zen.spamhaus.org. IN AAAA
;; AUTHORITY SECTION:
zen.spamhaus.org. 10 IN SOA need.to.know.only. hostmaster.spamhaus.org. 1809062302 3600 600 432000 10
Received 108 bytes from 202.68.86.122#53 in 155 ms
Trying "2.0.0.127.zen.spamhaus.org"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1178
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;2.0.0.127.zen.spamhaus.org. IN MX
;; AUTHORITY SECTION:
zen.spamhaus.org. 10 IN SOA need.to.know.only. hostmaster.spamhaus.org. 1809062302 3600 600 432000 10
Received 108 bytes from 202.68.86.122#53 in 148 ms