DNSBL, Spamhaus and postscreen filters

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

DNSBL, Spamhaus and postscreen filters

Robert Sharp-2

I was prompted from reading a recent post to check whether my postscreen set up was picking up Spamhaus responses. Quick grep through my logs confirmed that it was not. Seems I am in a bit of Bind (sorry for the pun). If I use Google's DNS I dont get a response from zen.spamhaus.org. If I use my ISP's DNS I will but my ISP also hijacks NXDOMAIN responses as I was reminded last night when postscreen blocked everything. I am now looking at setting up my own unbound server, but I wondered if there was a quicker solution. Can I use the filter option to ignore those hijacked responses? For example:

postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[0..127]*3

I would just give it a go but after blocking everything I am a little cautious today. Yes, I could add soft bounces but...

Thanks for any help

Reply | Threaded
Open this post in threaded view
|

Re: DNSBL, Spamhaus and postscreen filters

/dev/rob0
On Wed, Mar 01, 2017 at 10:00:28PM +0000, Robert Sharp wrote:
> I was prompted from reading a recent post to check whether my
> postscreen set up was picking up Spamhaus responses. Quick grep
> through my logs confirmed that it was not. Seems I am in a bit
> of Bind (sorry for the pun). If I use Google's DNS I dont get a
> response from zen.spamhaus.org.

Hi Robert,

Yes, this is a known issue.  Spamhaus blocks Google Public DNS and
many ISP resolvers as well.

> If I use my ISP's DNS I will but my ISP also hijacks NXDOMAIN
> responses as I was reminded last night when postscreen blocked
> everything. I am now looking at setting up my own unbound
> server, but I wondered if there was a quicker solution.

What's not quick?  It should probably do what you need with minimal
(if any) fuss.

I'm more familiar with BIND, and this will do it:

# mv /etc/named.conf /etc/named.conf.distrib
# echo "nameserver 127.0.0.1" > /etc/resolv.conf
# named

Configure your OS (DHCP client if relevant) to leave resolv.conf
alone, and set it up to start the BIND service at boot.

I don't know the details of unbound, but I expect it is similarly
trivial to set up.  It really is the right solution, for a mail
server, to have its own resolver.

> Can I use the filter option to ignore those hijacked responses?
> For example:
>
> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[0..127]*3

You need clean name service for a mail server, period.  And what
happens when your ISP resolver gets blocked by Spamhaus?

That said, your idea sort of works, until it doesn't. :)

> I would just give it a go but after blocking everything I am a
> little cautious today. Yes, I could add soft bounces but...
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: DNSBL, Spamhaus and postscreen filters

/dev/rob0
On Wed, Mar 01, 2017 at 05:49:35PM -0600, /dev/rob0 wrote in
   haste, and now at leisure, corrects:
> I'm more familiar with BIND, and this will do it:
>
> # mv /etc/named.conf /etc/named.conf.distrib
  # touch /etc/named.conf
> # echo "nameserver 127.0.0.1" > /etc/resolv.conf
> # named

A named.conf file is required, but being all empty means only the
default settings are used.  By default named will do recursion for
the same host and for physically-attached networks.

You could tighten that up somewhat by telling it only to listen on
the loopback interface,

# echo "options { listen-on { 127.0.0.1; }; };" > /etc/named.conf
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: DNSBL, Spamhaus and postscreen filters

Bill Cole-3
In reply to this post by Robert Sharp-2
On 1 Mar 2017, at 17:00, Robert Sharp wrote:

> I was prompted from reading a recent post to check whether my
> postscreen set up was picking up Spamhaus responses. Quick grep
> through my logs confirmed that it was not. Seems I am in a bit of Bind
> (sorry for the pun). If I use Google's DNS I dont get a response from
> zen.spamhaus.org. If I use my ISP's DNS I will but my ISP also hijacks
> NXDOMAIN responses as I was reminded last night when postscreen
> blocked everything. I am now looking at setting up my own unbound
> server, but I wondered if there was a quicker solution.

Any mail server should use a recursive caching resolver on the same host
or on a low-latency directly attached network.

> Can I use the filter option to ignore those hijacked responses? For
> example:
>
> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[0..127]*3

That should work and it is always best to specify the desired result(s)
for any DNSBL use.

You will still be at risk of Spamhaus blocking your ISP's DNS resolvers,
which they do for ISPs whose resolvers make too many queries. A local
unbound resolver is easy to set up and will give you better performance
while sparing you the risk of being blocked for other peoples query
volume.
Reply | Threaded
Open this post in threaded view
|

Re: DNSBL, Spamhaus and postscreen filters

Robert Sharp-2
On 03/03/17 20:22, Bill Cole wrote:

> On 1 Mar 2017, at 17:00, Robert Sharp wrote:
>
>> I was prompted from reading a recent post to check whether my
>> postscreen set up was picking up Spamhaus responses. Quick grep
>> through my logs confirmed that it was not. Seems I am in a bit of
>> Bind (sorry for the pun). If I use Google's DNS I dont get a response
>> from zen.spamhaus.org. If I use my ISP's DNS I will but my ISP also
>> hijacks NXDOMAIN responses as I was reminded last night when
>> postscreen blocked everything. I am now looking at setting up my own
>> unbound server, but I wondered if there was a quicker solution.
>
> Any mail server should use a recursive caching resolver on the same
> host or on a low-latency directly attached network.
>
>> Can I use the filter option to ignore those hijacked responses? For
>> example:
>>
>> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[0..127]*3
>
> That should work and it is always best to specify the desired
> result(s) for any DNSBL use.
>
> You will still be at risk of Spamhaus blocking your ISP's DNS
> resolvers, which they do for ISPs whose resolvers make too many
> queries. A local unbound resolver is easy to set up and will give you
> better performance while sparing you the risk of being blocked for
> other peoples query volume.
Sorry - I sent a reply but it seems I messed up and sent it to Kevin
Miller (sorry Kevin). Anyway, I take all of your points. This is on a
Gentoo box with SELinux that is running as my router, dns/dhcp and mail
relay. I am using Dnsmasq for the dns/dhcp. I realised (in the dead of
night) that I could avoid a lot of problems by keeping dnsmasq as it is,
setting up Unbound as a simple recursive resolver, that I have just
tested without upsetting anyone else, and then just switching from
Google's DNS to my local Unbound. That bit will have to wait while I
sort out the inevitable AVCs that result from doing anything new on
SELinux.

Thanks for the help.
Robert