[rbldnsd] rbldnsd - problem with aggregating zones
Frantisek Honcik
rbldnsd at o2active.cz
Tue Aug 21 16:19:50 MSD 2007
Hi,
I try to run rbldnsd with SpamAssassin, but i found a serious issue i'd like to discuss.
The problem is that i need to aggregate more zones in one, which will be queried by SA.
For instance here is the part of SA config describing how it asks SORBS.NET:
"
# SORBS
# transfers: both axfr and ixfr available
# URL: http://www.dnsbl.sorbs.net/
# pay-to-use: no
# delist: $50 fee for RCVD_IN_SORBS_SPAM, others have free retest on request
header __RCVD_IN_SORBS eval:check_rbl('sorbs', 'dnsbl.sorbs.net.')
describe __RCVD_IN_SORBS SORBS: sender is listed in SORBS
tflags __RCVD_IN_SORBS net
header RCVD_IN_SORBS_HTTP eval:check_rbl_sub('sorbs', '127.0.0.2')
describe RCVD_IN_SORBS_HTTP SORBS: sender is open HTTP proxy server
tflags RCVD_IN_SORBS_HTTP net
#reuse RCVD_IN_SORBS_HTTP
header RCVD_IN_SORBS_SOCKS eval:check_rbl_sub('sorbs', '127.0.0.3')
describe RCVD_IN_SORBS_SOCKS SORBS: sender is open SOCKS proxy server
tflags RCVD_IN_SORBS_SOCKS net
#reuse RCVD_IN_SORBS_SOCKS
header RCVD_IN_SORBS_MISC eval:check_rbl_sub('sorbs', '127.0.0.4')
describe RCVD_IN_SORBS_MISC SORBS: sender is open proxy server
tflags RCVD_IN_SORBS_MISC net
#reuse RCVD_IN_SORBS_MISC
header RCVD_IN_SORBS_SMTP eval:check_rbl_sub('sorbs', '127.0.0.5')
describe RCVD_IN_SORBS_SMTP SORBS: sender is open SMTP relay
tflags RCVD_IN_SORBS_SMTP net
#reuse RCVD_IN_SORBS_SMTP
# delist: $50 fee
#header RCVD_IN_SORBS_SPAM eval:check_rbl_sub('sorbs', '127.0.0.6')
#describe RCVD_IN_SORBS_SPAM SORBS: sender is a spam source
#tflags RCVD_IN_SORBS_SPAM net
#reuse RCVD_IN_SORBS_SPAM
header RCVD_IN_SORBS_WEB eval:check_rbl_sub('sorbs', '127.0.0.7')
describe RCVD_IN_SORBS_WEB SORBS: sender is a abuseable web server
tflags RCVD_IN_SORBS_WEB net
#reuse RCVD_IN_SORBS_WEB
header RCVD_IN_SORBS_BLOCK eval:check_rbl_sub('sorbs', '127.0.0.8')
describe RCVD_IN_SORBS_BLOCK SORBS: sender demands to never be tested
tflags RCVD_IN_SORBS_BLOCK net
#reuse RCVD_IN_SORBS_BLOCK
header RCVD_IN_SORBS_ZOMBIE eval:check_rbl_sub('sorbs', '127.0.0.9')
describe RCVD_IN_SORBS_ZOMBIE SORBS: sender is on a hijacked network
tflags RCVD_IN_SORBS_ZOMBIE net
#reuse RCVD_IN_SORBS_ZOMBIE
header RCVD_IN_SORBS_DUL eval:check_rbl('sorbs-lastexternal', 'dnsbl.sorbs.net.', '127.0.0.10')
describe RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address
tflags RCVD_IN_SORBS_DUL net
#reuse RCVD_IN_SORBS_DUL "
As you can see, only zone "dnsbl.sorbs.net" is being queried, so getting right answers need to aggregate zones.
I did this by using this RBLDNSD config, trying to aggregate 3 zones in one:
RBLDNSD="dnsbl -u rbldnsd -r/var/lib/rbldnsd -t21600 -c60 \
-l log/querylog -b 192.168.30.98 \
dnsbl.sorbs.net:ip4set:spam.dnsbl.sorbs.net \
dnsbl.sorbs.net:ip4set:dul.dnsbl.sorbs.net \
dnsbl.sorbs.net:ip4set:relays.dnsbl.sorbs.net \
"
This works fine, see:
dig @192.168.30.98 112.153.110.203.dnsbl.sorbs.net -t any
; <<>> DiG 9.3.2 <<>> @192.168.30.98 112.153.110.203.dnsbl.sorbs.net -t any
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57193
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 8, ADDITIONAL: 0
;; QUESTION SECTION:
;112.153.110.203.dnsbl.sorbs.net. IN ANY
;; ANSWER SECTION:
112.153.110.203.dnsbl.sorbs.net. 3600 IN A 127.0.0.6
112.153.110.203.dnsbl.sorbs.net. 3600 IN TXT "Spam Received See: http://www.sorbs.net/lookup.shtml?203.110.153.112"
112.153.110.203.dnsbl.sorbs.net. 3600 IN A 127.0.0.2
112.153.110.203.dnsbl.sorbs.net. 3600 IN TXT "Open Relays (any protocol) See: http://www.sorbs.net/lookup.shtml?203.110.153.112"
;; AUTHORITY SECTION:
dnsbl.sorbs.net. 86400 IN NS rbldns0.sorbs.net.
dnsbl.sorbs.net. 86400 IN NS rbldns1.sorbs.net.
dnsbl.sorbs.net. 86400 IN NS rbldns2.sorbs.net.
dnsbl.sorbs.net. 86400 IN NS rbldns3.sorbs.net.
dnsbl.sorbs.net. 86400 IN NS rbldns4.sorbs.net.
dnsbl.sorbs.net. 86400 IN NS rbldns5.sorbs.net.
dnsbl.sorbs.net. 86400 IN NS rbldns7.sorbs.net.
dnsbl.sorbs.net. 86400 IN NS rbldns9.sorbs.net.
;; Query time: 2 msec
;; SERVER: 192.168.30.98#53(192.168.30.98)
;; WHEN: Mon Aug 20 14:54:15 2007
;; MSG SIZE rcvd: 432
I need to aggregate more zones in one as you can see in pasted SA config, but it does not work.
See config:
RBLDNSD="dnsbl -u rbldnsd -r/var/lib/rbldnsd -t21600 -c60 \
-l log/querylog -b 192.168.30.98 \
dnsbl.sorbs.net:ip4set:spam.dnsbl.sorbs.net \
dnsbl.sorbs.net:ip4set:dul.dnsbl.sorbs.net \
dnsbl.sorbs.net:ip4set:relays.dnsbl.sorbs.net \
dnsbl.sorbs.net:ip4set:http.dnsbl.sorbs.net \
dnsbl.sorbs.net:ip4set:socks.dnsbl.sorbs.net \
dnsbl.sorbs.net:ip4set:relays.dnsbl.sorbs.net \
dnsbl.sorbs.net:ip4set:misc.dnsbl.sorbs.net \
dnsbl.sorbs.net:ip4set:web.dnsbl.sorbs.net \
dnsbl.sorbs.net:ip4set:smtp.dnsbl.sorbs.net \
dnsbl.sorbs.net:ip4set:relays.dnsbl.sorbs.net \
dnsbl.sorbs.net:ip4set:block.dnsbl.sorbs.net \
dnsbl.sorbs.net:ip4set:zombie.dnsbl.sorbs.net \
"
And attempt to start RBLDNSD:
/etc/init.d/rbldnsd start
Starting rbldnsd: dnsbl
rbldnsd: listening on 192.168.30.98/53
rbldnsd: ip4set:spam.dnsbl.sorbs.net: 20070820 005742: e32/24/16/8=490287/7774/67/0
rbldnsd: ip4set:dul.dnsbl.sorbs.net: 20070820 005722: e32/24/16/8=3307685/539195/2313/0
rbldnsd: ip4set:relays.dnsbl.sorbs.net: 20070820 005740: e32/24/16/8=292460/0/0/0
rbldnsd: zones reloaded, time 4.77e/4.53u sec, mem arena=368 free=130 mmap=36244 Kb
rbldnsd: rbldnsd version 0.995 (28 Apr 2005) started (1 socket(s), 1 zone(s))
Starting rbldnsd: dnsbl.sorbs.net:ip4set:http.dnsbl.sorbs.net
rbldnsd: no zone(s) to service specified (-h for help)
Nothing useful in /var/log/messages...
So this look like RBLDNSD is able to aggregate only 3 zones, the rest is ignored, there must be an error somewhere
but I don't see it enywhere. Any help will be nice. Thank You for patience and Your time.
Regards:
Frantisek Honcik
More information about the rbldnsd
mailing list