search

opnsense / core

OPNsense GUI, API and systems backend
https://opnsense.org/
BSD 2-Clause "Simplified" License
3.37k stars 757 forks source link

Unbound responds to queries concerning DNSBL lists with servers rather than IPs? #4416

Closed kongomongo closed 3 years ago

kongomongo commented 4 years ago

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

[x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md

Versions | OPNsense 20.1.9_1-amd64 FreeBSD 11.2-RELEASE-p20-HBSD OpenSSL 1.1.1g 21 Apr 2020

[x] I have searched the existing issues and I'm convinced that mine is new.

Describe the bug On my mailserver I found the following log entries and tried to find out what caused them:

DNS failure while trying to find address 168.78.123.119.bl.spamcop.net in blacklist SpamCop
DNS failure while trying to find address 168.78.123.119.bl.spamcop.net in blacklist SpamCop
DNS failure while trying to find address 168.78.123.119.zen.spamhaus.org in blacklist SpamHaus SBL-XBL
DNS failure while trying to find address 168.78.123.119.db.wpbl.info in blacklist WPBL - Weighted Private Block List
DNS failure while trying to find address 168.78.123.119.db.wpbl.info in blacklist WPBL - Weighted Private Block List

My opnsense is 192.168.200.1 and I queried it using drill, the following reply I got:

drill @192.168.200.1 168.78.123.119.db.wpbl.info
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 9656
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;; 168.78.123.119.db.wpbl.info. IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
db.wpbl.info.   86145   IN      NS      ns2.wpbl.info.
db.wpbl.info.   86145   IN      NS      ns1.wpbl.info.

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 192.168.200.1
;; WHEN: Thu Oct  1 10:55:30 2020
;; MSG SIZE  rcvd: 81

Since I am not fluent in DNS I can only assume opnsense / Unbound replies with a list of dns server responsible for a reply rather than giving the reply itself. Querying any other server I get the expected reply: not found or 127.0.0.2 (when blacklisted).

If I use drill on the opnsense shell not using the @server syntax I also get the correct reply. I am assuming drill then uses /etc/resolv.conf directly instead of the local Unbound?

This is my setup in opnsense:

https://i.imgur.com/Sa9WFPs.png https://i.imgur.com/Jp32yc4.png

also this:

# cat /etc/resolv.conf
domain xxx.local
nameserver 185.xx.yy.zz
nameserver 185.xx.yy.ww
nameserver 8.8.8.8
nameserver 192.168.200.101

If theres anything more I should provide please advise. Maybe I am just doing it wrong(TM)?

Thanks in advance.

kongomongo commented 4 years ago

Some fresh hosts/IPs from logs to verify:

[15/Oct/2020 18:19:31] DNS failure while trying to find address 36.125.142.162.cbl.abuseat.org in blacklist CBL-composite blocking list
[15/Oct/2020 18:19:43] DNS failure while trying to find address 36.125.142.162.cbl.abuseat.org in blacklist CBL-composite blocking list
[15/Oct/2020 18:19:43] DNS failure while trying to find address 36.125.142.162.cbl.abuseat.org in blacklist CBL-composite blocking list
[15/Oct/2020 18:19:43] DNS failure while trying to find address 36.125.142.162.cbl.abuseat.org in blacklist CBL-composite blocking list
[15/Oct/2020 18:20:48] DNS failure while trying to find address 83.240.162.52.zen.spamhaus.org in blacklist SpamHaus SBL-XBL
Bramzor commented 3 years ago

DNS failures are normal in this case. This means that this email server is NOT blacklisted. Check https://www.spamcop.net/fom-serve/cache/351.html

Blacklisted means 127.0.0.2, NXDOMAIN result (so no records) mean that the server is not blacklisted and therefore, ok. to accept mail from.

kongomongo commented 3 years ago

Hello Bramzor,

thanks for your reply. The NXDOMAIN replies are actually not the problem, but the answers that are neither a hit, nor an NXDOMAIN.

it is a reply with what seems like list of name servers. This confuses my downstream windows dns server which after getting that as a reply answers with "SERVFAIL". So something must be amiss here?

OPNsense-bot commented 3 years ago

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.