Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add option and/or fallback code for "127.255.255.254 Any Query via public/open resolver" (found on zen.spamhaus.org) #46

Open
pbiering opened this issue Sep 9, 2022 · 10 comments
Open

add option and/or fallback code for "127.255.255.254 Any Query via public/open resolver" (found on zen.spamhaus.org) #46

pbiering opened this issue Sep 9, 2022 · 10 comments
Assignees
@matteocorti
Labels
enhancement

Comments

@pbiering
Copy link
Contributor

pbiering commented Sep 9, 2022

Hi,

I'm sure not the only one who got hit by the zen.spamhaus.org limitation related query through open resolver...

Thank you for adding -n option already to upstream (version 1.7.0)!

A further improvement would be having capability to query authorative NS directly by option (e.g. "always use authorative NS") or at least in fallback case if 127.255.255.254 was returned (can be that other services will turn on such "friendly" feature in the future).

This would require some code extension running NS query on each -s <server> domain and use returned NS records for further lookups per -s <server>....not that easy to implement imho...

For now I have carved out the zen.spamhaus.org check into a dedicated check.

Related problem is how to tell postfix (postscreen_dnsbl_sites feature) and/or local resolver not using public resolvers for a specific domain...for now the use of zen.spanhaus.org turns useless in case of system uses public resolvers instead of a local installed caching DNS server.

Best Regards!
@matteocorti matteocorti self-assigned this Sep 9, 2022
@matteocorti
Copy link
Owner

Dear Peter,

Just to be sure. In the case of -s zen.spamhouse.org I would look for the authoritative name server for spamhouse.org:

$ host -t soa spamhouse.org
spamhouse.org has SOA record ns1.bodis.com. dnsadmin.bodis.com. 2017062202 10800 3600 1209600 3600

and then use ns1.bodis.com for the queries related to *.spamhouse.org?

Seems a good way to always avoid the problem.

matteocorti added a commit that referenced this issue Sep 10, 2022
@matteocorti
Implementing #46
d8c1c48
@pbiering
Copy link
Contributor Author

NS server in SOA record not reliable and only 1 entry, better to retrieve NS records:

host -t ns zen.spamhaus.org
zen.spamhaus.org name server a.gns.spamhaus.org.
zen.spamhaus.org name server b.gns.spamhaus.org.
zen.spamhaus.org name server c.gns.spamhaus.org.
zen.spamhaus.org name server d.gns.spamhaus.org.
zen.spamhaus.org name server e.gns.spamhaus.org.

and run the query through the list. Best on all NS entries, because one can be out-of-sync or unreachable.

(note: the correct domain is spamhaus.org, not spamhouse.org - for to me unknown reason one used the German word here in the far past)

@blacktek
Copy link

Hello,
have you found a way to check zen.spamhaus.org? it's widely used, like check_rbl :)

@pbiering
Copy link
Contributor Author

I'm currently using this here:

monitoring-plugins/check_rbl-1.7.0 -H <MY-SERVER-IP> -t 60 -w 1 -c 1 -s zen.spamhaus.org -n a.gns.spamhaus.org

@blacktek
Copy link

blacktek commented Apr 30, 2023 via email

@audiocoach
Copy link

I'm currently using this here:

monitoring-plugins/check_rbl-1.7.0 -H <MY-SERVER-IP> -t 60 -w 1 -c 1 -s zen.spamhaus.org -n a.gns.spamhaus.org

Unfortunatley this is not working for me. I also tried b.gns.spamhaus.org, c.gns.spamhaus.org, etc. Using my ISPs DNS Server or setting up conditional forwarding in windows dns on my domain controllers doesn't work either. I always get the return code 127.255.255.254 from zen.spamhaus.org. Any ideas?

@matteocorti
Copy link
Owner

In this case the -A option should used, but it's not implemented yet...

@pbiering
Copy link
Contributor Author

@audiocoach : with option -n should work, can you show debug output?

Example from here

monitoring-plugins/check_rbl-1.7.0 -H <MY-SERVER-IP> -t 60 -w 1 -c 1 -s zen.spamhaus.org -n b.gns.spamhaus.org -d
[DBG] validate(5.189.185.206, 5.189.185.206)
[DBG] Using DNS Resolver: 195.123.211.8 95.217.25.77
[DBG] reading...<MY-SERVER-IP-REVERSE>.zen.spamhaus.org
[DBG] name = <MY-SERVER-IP-REVERSE>.zen.spamhaus.org, outstanding = 1
[DBG] reading...EOF.
[DBG] waiting for replies
[DBG] replies received: 1
[DBG] handling a reply
[DBG] callback( <MY-SERVER-IP-REVERSE>.zen.spamhaus.org, <undefined> )
[DBG] callback( <MY-SERVER-IP-REVERSE>.zen.spamhaus.org, <undefined> )
[DBG] outstanding = 0, eof = 1
CHECK_RBL OK - <MY-SERVER-IP> (<MY-HOSTNAME>) BLACKLISTED on 0 servers of 1 | servers=0;0;0 time=0s;;

and please also retrieve output using dig directly:

dig A <MY-SERVER-IP-REVERSE>.zen.spamhaus.org @b.gns.spamhaus.org | grep -v "^;" | grep -v "^$"
zen.spamhaus.org.	10	IN	SOA	need.to.know.only. hostmaster.spamhaus.org. 2311152017 3600 600 432000 10

if you receive also valid A records, then your server IP itself is blacklisted...

@thomas-maeder
Copy link

In this case the -A option should used, but it's not implemented yet...

Can you give an estimate when it will be implemented?

@matteocorti
Copy link
Owner

No I cannot. It's an open source project and anybody can contribute. At the moment I don't have the time ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@matteocorti matteocorti

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

When branches are created from issues, their pull requests are automatically linked.

46-add-option-andor-fallback-code-for-127255255254-any-query-via-publicopen-resolver-found-on-zenspamhausorg matteocorti/check_rbl
5 participants
@matteocorti @pbiering @thomas-maeder @blacktek @audiocoach