NSD needs to be configured to use root zones

[KeiroD]

Hi,

If you're querying for blacklists often, you'll eventually be blocked by URI for querying them directly too often. It's also suggested to use root zones to spread your query load.

I don't have the exact string in the e-mails offhand but will update this as soon as I am home from work.

[KeiroD]

I don't have the exact string anymore, it seems to have been purged at some point from my server. But it was something similar to this:

January 23rd, 2012: Blocked due to excessive queries?

If you are receiving a bounce message saying your email was blocked due to excessive queries, you should contact your email provider, as they have not correctly implemented URIBL lookups. In the event a high volume nameserver is blocked, a 127.0.0.1 response may be received to indicate the nameserver is sending high volume queries. Service providers who have implemented URIBL lookups outside of SpamAssassin should read http://www.uribl.com/about.shtml#implementation and correctly implement URIBL lookups. Those effected should also read http://www.uribl.com/about.shtml#abuse for more information. The limits in effect are by nameservers, not individual mailservers, as the DNS requests will be coming from your resolvers.

So if we could correct that, that'd be good.

[zatricky]

By NSD, I'm assuming you mean DNS. Please also clarify what you mean by "root zones".

An RBL lookup going via 3rd-party resolver is more likely to be blocked due to excessive queries - but a "root zone" and an external resolver are not the same thing. Typically you have to be handling a lot of mail to trigger these alerts. The last time I recall errors/warnings along these lines was when I had a misconfiguration on an anti-spam MX cluster handling millions of mails each day.

[KeiroD]

No, that is not what I meant. Yes, it's a DNS daemon. But NSD is what actually serves DNS on mailinabox. See below:

root@mail:~# apt search nsd | grep installed

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

nsd/bionic,now 4.1.17-1build1 amd64 [installed]

I am aware of the differences. I don't send out a lot of mail but I do receive a lot of mail. And that's why I'm getting the URIBL alert. As for misconfiguration... I'm fairly sure it's not me that misconfigured it.

And it's a pain in the ass to modify the configs because mailinabox intentionally makes it difficult to modify your configurations. At least, so far as I can tell.

[zatricky]

Thanks, that does clarify a lot. I'm still not sure what you mean by "use root zones", though. :-/

I'm not saying you've made a misconfiguration - just that the cluster I was working on at the time was querying the RBLs in the "standard" way, rather than the way the various commercial agreements with the RBLs required us to.

[jvolkenant]

Fundamentally there is some confusion going on here. NSD serves your domains to others, bind does dns lookups for your MIAB. Bind already has root zones in it's config.

bind includes root zones through these chain of includes /etc/bind/named.conf -> /etc/bind/named.conf.default-zones -> /etc/bind/db.root

@KerioD, Unless something was changed your box should be using 127.0.0.1:53 (bind) to do dns lookups for the web not nsd

A good test to make sure your MIAB is doing lookups and not forwarding through another dns server (i.e. sending requests through 4.2.2.2, 8.8.8.8, 1.1.1.1, etc.)

This should report your MIAB IP, if it does not, you are forwarding through another dns server

dig whoami.akamai.net +short

[KeiroD]

@jvolkenant yep, reports my MIAB instance IP.