Vesta Control Panel - Forum

Community Forum
http://forum.vestacp.com/

How to install dnsmasq/other caching nameserver for Spamassassin when server host DNS gets "query to URIBL was blocked"

http://forum.vestacp.com/viewtopic.php?f=13&t=15699

Page 1 of 1

How to install dnsmasq/other caching nameserver for Spamassassin when server host DNS gets "query to URIBL was blocked"

Posted: Fri Dec 08, 2017 8:04 pm
by hwname
Greetings,

I have been running a Vesta CP install for many years and I'm very happy with it, thank you for this great software. My issue is actually with my server's host – since I use OVH, Spamassassin usually returns the result "ADMINISTRATOR NOTICE: The query to URIBL was blocked" because Vesta's DNS has to use OVH's DNS server (or another high-volume DNS server such as Google's) and these overload the URIBL servers and get blocked after a certain amount of queries:

https://wiki.apache.org/spamassassin/Dn ... nsbl-block

As a result of this I have a terrible amount of spam because Spamassassin can never query the blacklist servers and the email addresses used have been around for a while. At the link above, Spamassassin recommends using a caching DNS server to get around this problem of having queries refused. I have tried a couple of times to install dnsmasq, but both installs have ended up with my server ending up with no DNS at all, so I thought I should come here and just ask for help with it.

The last steps I followed to attempt to install DNSMasq today are these ones:

https://www.techrepublic.com/article/ho ... nd-server/

The very brief version of these instructions for CentOS:

Code: Select all

sudo yum install dnsmasq
sudo groupadd -r dnsmasq
sudo useradd -r -g dnsmasq dnsmasq
in /etc/dnsmasq.conf:

Code: Select all

listen-address=127.0.0.1
port=53
bind-interfaces
user=dnsmasq
group=dnsmasq
pid-file=/var/run/dnsmasq.pid
domain-needed
bogus-priv
no-hosts
dns-forward-max=150
cache-size=1000
no-negcache
neg-ttl=3600
resolv-file=/etc/resolv.dnsmasq
no-poll
in /etc/resolv.dnsmasq:

Code: Select all

nameserver (the IP address of the real external DNS server)
in /etc/resolv.conf:

Code: Select all

nameserver 127.0.0.1
This ended up with being able to run

Code: Select all

dnsmasq --test
successfully but when I eventually ran

Code: Select all

service dnsmasq restart
I always received the result

Code: Select all

dnsmasq: failed to create listening socket for port 53: Address already in use [fail]
When I ran

Code: Select all

netstat -anlp | grep -w LISTEN
it was named that had an existing binding to 127.0.0.1:53. I have the feeling I may be running up against something important about Vesta's DNS service and/or the way it combines with OVH or CentOS 6.9, so I'm not sure how to proceed. I have reverted to Vesta's default behavior (everything works normally again and I have a clean slate to try new fixes, but my spam issue remains unaddressed) and I'd be very appreciative for some guidance on how to set up a caching DNS service so I can resume making successful connections to Spamassassin blacklist servers. I am using CentOS 6.9.

Based on the following posts which all report being blocked from using the Spamassassin blacklists due to the use of a host DNS or Google's DNS, and which are all unsolved:

viewtopic.php?f=12&t=14674
viewtopic.php?f=12&t=10713
viewtopic.php?f=12&t=15109

I think that this is not an uncommon administrative issue for a Vesta install with Spamassassin, CentOS 6.x, and large server host (or a desire to use Google's DNS, which should be possible as a choice if the host DNS doesn't perform well or has other issues). Being able to run a local caching DNS server is also useful for other applications. Thank you for your help!

Re: How to install dnsmasq/other caching nameserver for Spamassassin when server host DNS gets "query to URIBL was block

Posted: Sat Dec 09, 2017 12:23 pm
by hwname
On closer reading, I see that Spamassassin doesn't recommend dnsmasq but they do recommend BIND, which I believe is actually already installed and working in Vesta on port 53. How do I configure BIND to work as a non-forwarding caching nameserver that will allow me to query Spamassassin blacklists without getting blocked due to the query coming from OVH's DNS server, but still perform DNS services as it has been?

My /etc/resolv.conf looks like this, where 111.111.111.111 is actually the OVH DNS server (I think this is set by OVH when the servers are first provisioned, but commenting out that line or the two lines referring to OVH and just leaving the reference to localhost results in no DNS at all, i.e. outgoing email stops working and domains can no longer be pinged by the server):

Code: Select all

nameserver 127.0.0.1
nameserver 111.111.111.111
search ovh.net
Thanks for your assistance!

Re: How to install dnsmasq/other caching nameserver for Spamassassin when server host DNS gets "query to URIBL was block

Posted: Sat Dec 16, 2017 10:51 am
by hwname
Here is how I ended up solving this myself, with luck without any dangerous side-effects (please let me know if you see any).

Step 1 is to make sure that /etc/resolv.conf only points to 127.0.0.1 and not the external DNS server.
Step 2 is to set /etc/named.conf with the following items inside of the options block so that localhost is the DNS server (leaving whatever is outside your options block in place):

Code: Select all

options {
	directory "/var/named";
	dump-file "/var/named/data/cache_dump.db";
	pid-file "/var/run/named/named.pid";
	statistics-file "/var/named/data/named_stats.txt";
	version "get lost";
	allow-transfer {"none";};
	recursion yes;
	allow-query { localhost; };
	dnssec-enable yes;
	dnssec-validation yes;
	auth-nxdomain no;
	listen-on-v6 { any; };
};
Step 3 is to fix a different issue with Vesta's Spamassassin install, which is that it runs as nobody which causes an inability to write out any bayes info:

mkdir /etc/mail/spamassassin/bayes

/etc/mail/spamassassin/local.cf:

Code: Select all

required_hits 5
report_safe 0
rewrite_header Subject [SPAM]
#dns_available yes
bayes_path /etc/mail/spamassassin/bayes/bayes
That is not a typo that the bayes path has 'bayes/bayes' at the end but the mkdir line only has one level of 'bayes'. The last step is to recursively set /etc/mail/spamassassin/bayes to a permission level on your server that will allow it to be written to by the Spamassassin instance. You can see failure or success of this in /var/log/maillog, but ignore these errors because they are unfixable due to Spamassassin running as nobody:

Code: Select all

spamd: creating default_prefs: //.spamassassin/user_prefs
config: cannot create user preferences file //.spamassassin/user_prefs: No such file or directory
spamd: failed to create readable default_prefs: //.spamassassin/user_prefs
Since these changes, all spam is being successfully identified, and non-spam email is getting to users. These steps may point to some issues in the default Spamassassin install for Vesta, or perhaps just its interaction in this case where I am using OVH and Centos 6.9. I hope this helps someone.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/