(Dec 29) New version 0.9.8-18 has been released

How to install dnsmasq/other caching nameserver for Spamassassin when server host DNS gets "query to URIBL was blocked"

Questions regarding the DNS Server
BIND
Forum rules
Before creating a new topic or reply on the forum you should fill out additional fields "Os" and "Web" in your profile section.
In case of violation, the topic can be closed or response from the support will not be received.
hwname
Posts: 9
Joined: Fri May 23, 2014 8:16 am

How to install dnsmasq/other caching nameserver for Spamassassin when server host DNS gets "query to URIBL was blocked"

Postby hwname » Fri Dec 08, 2017 8:04 pm

Greetings,

I have been running a Vesta CP install for many years and I'm very happy with it, thank you for this great software. My issue is actually with my server's host – since I use OVH, Spamassassin usually returns the result "ADMINISTRATOR NOTICE: The query to URIBL was blocked" because Vesta's DNS has to use OVH's DNS server (or another high-volume DNS server such as Google's) and these overload the URIBL servers and get blocked after a certain amount of queries:

https://wiki.apache.org/spamassassin/Dn ... nsbl-block

As a result of this I have a terrible amount of spam because Spamassassin can never query the blacklist servers and the email addresses used have been around for a while. At the link above, Spamassassin recommends using a caching DNS server to get around this problem of having queries refused. I have tried a couple of times to install dnsmasq, but both installs have ended up with my server ending up with no DNS at all, so I thought I should come here and just ask for help with it.

The last steps I followed to attempt to install DNSMasq today are these ones:

https://www.techrepublic.com/article/ho ... nd-server/

The very brief version of these instructions for CentOS:

Code: Select all

sudo yum install dnsmasq
sudo groupadd -r dnsmasq
sudo useradd -r -g dnsmasq dnsmasq


in /etc/dnsmasq.conf:

Code: Select all

listen-address=127.0.0.1
port=53
bind-interfaces
user=dnsmasq
group=dnsmasq
pid-file=/var/run/dnsmasq.pid
domain-needed
bogus-priv
no-hosts
dns-forward-max=150
cache-size=1000
no-negcache
neg-ttl=3600
resolv-file=/etc/resolv.dnsmasq
no-poll


in /etc/resolv.dnsmasq:

Code: Select all

nameserver (the IP address of the real external DNS server)


in /etc/resolv.conf:

Code: Select all

nameserver 127.0.0.1


This ended up with being able to run

Code: Select all

dnsmasq --test
successfully but when I eventually ran

Code: Select all

service dnsmasq restart
I always received the result

Code: Select all

dnsmasq: failed to create listening socket for port 53: Address already in use [fail]


When I ran

Code: Select all

netstat -anlp | grep -w LISTEN
it was named that had an existing binding to 127.0.0.1:53. I have the feeling I may be running up against something important about Vesta's DNS service and/or the way it combines with OVH or CentOS 6.9, so I'm not sure how to proceed. I have reverted to Vesta's default behavior (everything works normally again and I have a clean slate to try new fixes, but my spam issue remains unaddressed) and I'd be very appreciative for some guidance on how to set up a caching DNS service so I can resume making successful connections to Spamassassin blacklist servers. I am using CentOS 6.9.

Based on the following posts which all report being blocked from using the Spamassassin blacklists due to the use of a host DNS or Google's DNS, and which are all unsolved:

https://forum.vestacp.com/viewtopic.php?f=12&t=14674
https://forum.vestacp.com/viewtopic.php?f=12&t=10713
https://forum.vestacp.com/viewtopic.php?f=12&t=15109

I think that this is not an uncommon administrative issue for a Vesta install with Spamassassin, CentOS 6.x, and large server host (or a desire to use Google's DNS, which should be possible as a choice if the host DNS doesn't perform well or has other issues). Being able to run a local caching DNS server is also useful for other applications. Thank you for your help!
Last edited by hwname on Sat Dec 16, 2017 10:56 am, edited 1 time in total.

hwname
Posts: 9
Joined: Fri May 23, 2014 8:16 am

Re: How to install dnsmasq/other caching nameserver for Spamassassin when server host DNS gets "query to URIBL was block

Postby hwname » Sat Dec 09, 2017 12:23 pm

On closer reading, I see that Spamassassin doesn't recommend dnsmasq but they do recommend BIND, which I believe is actually already installed and working in Vesta on port 53. How do I configure BIND to work as a non-forwarding caching nameserver that will allow me to query Spamassassin blacklists without getting blocked due to the query coming from OVH's DNS server, but still perform DNS services as it has been?

My /etc/resolv.conf looks like this, where 111.111.111.111 is actually the OVH DNS server (I think this is set by OVH when the servers are first provisioned, but commenting out that line or the two lines referring to OVH and just leaving the reference to localhost results in no DNS at all, i.e. outgoing email stops working and domains can no longer be pinged by the server):

Code: Select all

nameserver 127.0.0.1
nameserver 111.111.111.111
search ovh.net


Thanks for your assistance!

hwname
Posts: 9
Joined: Fri May 23, 2014 8:16 am

Re: How to install dnsmasq/other caching nameserver for Spamassassin when server host DNS gets "query to URIBL was block

Postby hwname » Sat Dec 16, 2017 10:51 am

Here is how I ended up solving this myself, with luck without any dangerous side-effects (please let me know if you see any).

Step 1 is to make sure that /etc/resolv.conf only points to 127.0.0.1 and not the external DNS server.
Step 2 is to set /etc/named.conf with the following items inside of the options block so that localhost is the DNS server (leaving whatever is outside your options block in place):

Code: Select all

options {
   directory "/var/named";
   dump-file "/var/named/data/cache_dump.db";
   pid-file "/var/run/named/named.pid";
   statistics-file "/var/named/data/named_stats.txt";
   version "get lost";
   allow-transfer {"none";};
   recursion yes;
   allow-query { localhost; };
   dnssec-enable yes;
   dnssec-validation yes;
   auth-nxdomain no;
   listen-on-v6 { any; };
};


Step 3 is to fix a different issue with Vesta's Spamassassin install, which is that it runs as nobody which causes an inability to write out any bayes info:

mkdir /etc/mail/spamassassin/bayes

/etc/mail/spamassassin/local.cf:

Code: Select all

required_hits 5
report_safe 0
rewrite_header Subject [SPAM]
#dns_available yes
bayes_path /etc/mail/spamassassin/bayes/bayes


That is not a typo that the bayes path has 'bayes/bayes' at the end but the mkdir line only has one level of 'bayes'. The last step is to recursively set /etc/mail/spamassassin/bayes to a permission level on your server that will allow it to be written to by the Spamassassin instance. You can see failure or success of this in /var/log/maillog, but ignore these errors because they are unfixable due to Spamassassin running as nobody:

Code: Select all

spamd: creating default_prefs: //.spamassassin/user_prefs
config: cannot create user preferences file //.spamassassin/user_prefs: No such file or directory
spamd: failed to create readable default_prefs: //.spamassassin/user_prefs


Since these changes, all spam is being successfully identified, and non-spam email is getting to users. These steps may point to some issues in the default Spamassassin install for Vesta, or perhaps just its interaction in this case where I am using OVH and Centos 6.9. I hope this helps someone.


Return to “DNS Server”



Who is online

Users browsing this forum: No registered users and 2 guests