SOLVED Query to URIBL was blocked - pDNS & Bind

bloatedstoat

Well-Known Member
Jun 14, 2012
214
33
78
Victoria, Australia
cPanel Access Level
Root Administrator
Hello,

I've been ploughing through posts that deal with the "Query to URIBL was blocked" error with blacklists.


I have this working on an older machine, but that machine runs Bind and the resolver is set to 127.0.0.1, the RBL checks work like a charm and bin so much potential spam.

The new server currently has pDNS on it, I know there are two versions of pDNS and as it turns out the one that came pre-installed on the new machine isn't a caching nameserver, I believe I would need to install the recursive version of PDNS to gain this functionality?

So here's the question.

In order to get the blacklists working do I install the recursor pdns as an addition or switch to Bind?

I only need to resolve on 127.0.0.1 for the blacklists and that's it.
Switching to Bind just for this seems a bit heavy handed.

Anyone else dealt with this?

Thanks.
 

SimpleTechGuy

Well-Known Member
Mar 22, 2021
59
21
8
United States
cPanel Access Level
Root Administrator
Hi, I spent several hours dealing with this as well, so I feel your pain. I heavily researched the pdns recursor option, but it was fairly complex and since it's not officially a part of cpanel, then it's not supported and would most likely have issues during updates. **note, there is a feature request for this, so vote if you think it will help: https://features.cpanel.net/topic/pdns-recursor-for-powerdns.... The other issue is that I think bind has problems with dnssec, which is something I didn't want to sacrifice. So, I ended up solving the problem by setting up a different server with bind, then forwarding all the spamassassin dns requests to that server. Kinda wish I would have written down all the steps, but it really wasn't too hard. General idea looks like this:

1.install clean centos or whatever linux distro you want and install bind
2.configure bind to allow your main server ip address
3.open port 53 on new dns server (you could allow only from your main ip address here too)
4.configure spamassin to use that dns (add dns_server "your new bind server ip" to /etc/mail/spamassassin/local.cf)

Sorry it's not more detailed, but this option does seem to be working fine. Hope it helps.
 

bloatedstoat

Well-Known Member
Jun 14, 2012
214
33
78
Victoria, Australia
cPanel Access Level
Root Administrator
Hey, first of all thanks for taking the time to reply despite not knowing the path you took to get to the solution, I get the drift of where you're coming from.

It's a pretty convoluted way of getting something that, in my firm opinion, should work right out of the box on mail servers given the junk that hits mine every day, surely I'm not alone here. The blacklists are so effective though, particularly Barracuda, that I feel exposed without them.

I'm loathe to spin up another box just to get this working but clearly I have two choices, do as you suggest or move from pDNS on our main server to Bind.

Further contributions to this thread welcome.

Thanks again SimpleTechGuy, appreciate the help.

Cheers.
 
  • Like
Reactions: SimpleTechGuy

SimpleTechGuy

Well-Known Member
Mar 22, 2021
59
21
8
United States
cPanel Access Level
Root Administrator
The short story from my end is that you have to be using public resolvers in order for the RBLs to work properly. Do you have those set in /etc/resolv.conf?
Hi @cPRex, I was under the impression that you were NOT supposed to be using public resolvers...

 
  • Like
Reactions: bloatedstoat

SimpleTechGuy

Well-Known Member
Mar 22, 2021
59
21
8
United States
cPanel Access Level
Root Administrator
BTW, @bloatedstoat, I forgot to mention that according to this support article, your ISP dns servers should work as well if your host allow it. My host told me they do not provide dns to their clients for security reasons so that didn't work for me, but you may try asking your host if they have a dns server you could use. I thought about experimenting with some other smaller DNS servers nearby if you knew of any. Obviously bigger servers like cloudfare and google won't work, but Here is a list of some other not so popular servers that might help. Just remember that bad dns servers can cause some serious problems for you, so only use them if you trust them.