SOLVED Query to URIBL was blocked - pDNS & Bind

[bloatedstoat]

Hello,

I've been ploughing through posts that deal with the "Query to URIBL was blocked" error with blacklists.

SOLVED - Query to URIBL was blocked - How do I set up a caching nameserver?

Hi, Please speak slowly as I am a simple bear and easily confused. Queries to RBL's are sometimes being blocked as my IP is being lumped in with others and we go over the daily limit and no further emails are blocked/filtered on RBL rules. This is causing a spike in incoming spam emails. I've...

forums.cpanel.net

DNS implications to modifying resolv.conf

My daughter gets about 5 spammy emails per day, all loosely based on the same subject. They are obviously coming from the same source, as the opt out info contains the same address. However, i'm pretty sure that the opt out is probably a lie, as each email comes from a different domain. I...

forums.cpanel.net

I have this working on an older machine, but that machine runs Bind and the resolver is set to 127.0.0.1, the RBL checks work like a charm and bin so much potential spam.

The new server currently has pDNS on it, I know there are two versions of pDNS and as it turns out the one that came pre-installed on the new machine isn't a caching nameserver, I believe I would need to install the recursive version of PDNS to gain this functionality?

So here's the question.

In order to get the blacklists working do I install the recursor pdns as an addition or switch to Bind?

I only need to resolve on 127.0.0.1 for the blacklists and that's it.
Switching to Bind just for this seems a bit heavy handed.

Anyone else dealt with this?

Thanks.

 

[SimpleTechGuy]

Hi, I spent several hours dealing with this as well, so I feel your pain. I heavily researched the pdns recursor option, but it was fairly complex and since it's not officially a part of cpanel, then it's not supported and would most likely have issues during updates. **note, there is a feature request for this, so vote if you think it will help: https://features.cpanel.net/topic/pdns-recursor-for-powerdns.... The other issue is that I think bind has problems with dnssec, which is something I didn't want to sacrifice. So, I ended up solving the problem by setting up a different server with bind, then forwarding all the spamassassin dns requests to that server. Kinda wish I would have written down all the steps, but it really wasn't too hard. General idea looks like this:

1.install clean centos or whatever linux distro you want and install bind
2.configure bind to allow your main server ip address
3.open port 53 on new dns server (you could allow only from your main ip address here too)
4.configure spamassin to use that dns (add dns_server "your new bind server ip" to /etc/mail/spamassassin/local.cf)

Sorry it's not more detailed, but this option does seem to be working fine. Hope it helps.

 

[bloatedstoat]

Hey, first of all thanks for taking the time to reply despite not knowing the path you took to get to the solution, I get the drift of where you're coming from.

It's a pretty convoluted way of getting something that, in my firm opinion, should work right out of the box on mail servers given the junk that hits mine every day, surely I'm not alone here. The blacklists are so effective though, particularly Barracuda, that I feel exposed without them.

I'm loathe to spin up another box just to get this working but clearly I have two choices, do as you suggest or move from pDNS on our main server to Bind.

Further contributions to this thread welcome.

Thanks again SimpleTechGuy, appreciate the help.

Cheers.

 

[cPRex]

The short story from my end is that you have to be using non-public resolvers in order for the RBLs to work properly. Do you have those set in /etc/resolv.conf?

 

[SimpleTechGuy]

The short story from my end is that you have to be using public resolvers in order for the RBLs to work properly. Do you have those set in /etc/resolv.conf?

Hi @cPRex, I was under the impression that you were NOT supposed to be using public resolvers...

https://support.cpanel.net/hc/en-us/articles/7901501408023-RBL-Failure-error-open-resolver-https-www-spamhaus-org-returnc-pub-x-x-x-x

https://support.cpanel.net/hc/en-us/articles/360053079473-SpamAssassin-headers-show-URIBL-Blocked-error-when-Exim-uses-RBLs

 

[SimpleTechGuy]

BTW, @bloatedstoat, I forgot to mention that according to this support article, your ISP dns servers should work as well if your host allow it. My host told me they do not provide dns to their clients for security reasons so that didn't work for me, but you may try asking your host if they have a dns server you could use. I thought about experimenting with some other smaller DNS servers nearby if you knew of any. Obviously bigger servers like cloudfare and google won't work, but Here is a list of some other not so popular servers that might help. Just remember that bad dns servers can cause some serious problems for you, so only use them if you trust them.

DNS Servers in United States of America - Public DNS

See all United States of America Public DNS Servers List. Explore and find which DNS server you want to use in your Windows or MAC DNS settings.

dnschecker.org

 

[ResellerWiz]

Try editing:

/etc/mail/spamassassin/local.cf

At the end of the file add:

dns_server 127.0.0.1

Then restart Exim:

service exim restart

 

[cPRex]

@SimpleTechGuy - you're correct, I just missed a word. You do NOT want public resolvers in that file if you want the RBL lookups to work. I'll edit my previous post.

 

[bloatedstoat]

Thanks for the help, I've used our data centre DNS in resolv.conf and this appears to have done the trick. Nice simple fix.

Cheers.

 

[cPRex]

I'm glad that's all it was!