mail DNSBL queries resulting in NXDOMAIN
-
Hello folks,
I am configuring an email server to use some of the spamhaus's IP-based DNSBL.
The problem is that my
unbound
gets NXDOMAIN return codes for IP's which are listed in their DNSBL.After some digging I believe I've found the root cause of this problem, the DNS Rebinding Protection, which strips RFC1918 addresses from the dns response +
loopback-interface
i.e. 127.0.0.0/8. Given the return codes from querying spamhaus's DNSBL conflict with the private-address range listed in/var/unbound/unbound.conf
(from the DNS Rebinding prevention setting) my mail fails to properly block email from IPs included in their DNSBL.So far, I have come with two possible solutions:
- Comment the following line in
/var/unbound/unbound.conf
: "private-address: 127.0.0.0/8". Essentially removing DNS rebind protection for address range. - Implement a forward zone so other upstream DNS server resolve these queries for me. The disadvantage of this approach is reduced privacy.
Thus my question is how should I handle this situation? Am I missing another possible solution?
Thanks!
- Comment the following line in
-
@alejo-0 said in mail DNSBL queries resulting in NXDOMAIN:
Am I missing another possible solution?
Yep.
Put your email server not behind a device that places in RFC1918 land.
No more DNS rebind issues (and others).@alejo-0 said in mail DNSBL queries resulting in NXDOMAIN:
Comment the following line in /var/unbound/unbound.conf : "private-address: 127.0.0.0/8". Essentially removing DNS rebind protection for address ran
That file, as everything config file is generated and maintained by the pfSense GUI.
So editing it won't work.
Because :
You edit the file. You restart unbound ..... with the GUI => wrong ! the config file has just been rewritten.You could do this :
@alejo-0 said in mail DNSBL queries resulting in NXDOMAIN:
the DNS Rebinding Protection, which strips RFC191
so do what is proposed :
@alejo-0 said in mail DNSBL queries resulting in NXDOMAIN:
Implement a forward zone so other upstream DNS server resolve these queries for me. The disadvantage of this approach is reduced privacy.
Do you have to forward ?
These 3 lines are the latest checks on my massive "smtpd_recipient_restrictions".
The reject_rbl_client will contact, for example, sbl.spamhaus.org and reject the request when the reversed client network address is listed with the A record. So : if the IP of the sender isn't the IP of the sender, but a your local RFC1918 then, yeah, your hiding info for your mail server. Info you need when you want to use "reject_rbl_client ........"Btw : This is my 'IMHO' answer. I'm using postfix for more then decade. On a dedicated server, out there, in the wild. There's no need to protect it against the bad guys, but the 'gates' are by the guardian, that fills the iptables firewall with IP addresses against those that don't play by the rules.
As I'm using this mail server for company mails, I can't post / send mail from behind an ISP IP as that's bad practice. I'm was even filtering mails coming from those ISP IPs, but this isn't needed any more.
On the other hand, if my MX is an IP used by my ISP, Orange (France) , and hotmail (example) knows this - then I would not receive mails from them, gmail etc.Btw : I'm not sure if you are using pfSense @home, or what IP you use. It could be fine of course.
-
Before anything I would like to thank you for your answer and for being so active here. This community is truly amazing :)
@gertjan said in mail DNSBL queries resulting in NXDOMAIN:
Put your email server not behind a device that places in RFC1918 land.
I concur, however, the problem here is the
127.0.0.0/8
range not the standard RFC1918. I might be wrong but I can't see that range listed in RFC1918I did some more digging on
unbound
and found this regarding the setting used forDNS Rebinding Prevention
on their documentation: (can just read the last paragraph)@gertjan said in mail DNSBL queries resulting in NXDOMAIN:
That file, as everything config file is generated and maintained by the pfSense GUI.
So editing it won't work.
Because :
You edit the file. You restart unbound ..... with the GUI => wrong ! the config file has just been rewritten.You are totally right :) somehow that flew right over my head
@gertjan said in mail DNSBL queries resulting in NXDOMAIN:
so do what is proposed :
So I decided to go this route with a some small modifications (for now..):
- I disabled
DNS Rebind Check
. - Then re-added RFC 1918, excluding 127.0.0.0/8. Through the "custom options" section on the
DNS Resolver
tab.
- I disabled