Hello there,

I was wondering if anybody could advise on Bind, please.

How does Bind know which DNSBLs etc. to use? Where does it take this data from? May I specify this data myself somehow? Doesn’t it perhaps come from Postfix does it?

All the spam lists seem to work OK according to my logs, except for SORBS. Are they any special or different from all the others and do they require any extra configuration in Bind? I always seem to see this line:

error (unexpected RCODE SERVFAIL) resolving 'dul.dnsbl.sorbs.net/A/IN':174.36.198.232#53

I know this is SORBS server that is not answering me, but are there any work arounds this?

Plus, I also noticed that my Bind was pretty outdated. However, my Debian does not say that there are any updates available when I type apt-get update, apt-get upgrade, or apt-get upgrade bind9. Does that mean that Bind runs separately from Linux distributions (Wheezy in particular) and it's impossible to upgrade it from packages and the only way to upgrade it to a later version is to compile it myself manually from sources?

I would appreciate any comments / pointers / help at all.

Many thanks in advance!

Yes calls to RBLs come from your MTA. bind is just the server/software that's performing the lookup.

I'm not sure what the problem is with resolving dul.dnsbl.sorbs.net, however. It seems to be working for me from two different servers, but I'm also using DNS resolving servers of my ISPs/datacenter, so I can't check the DNS logs.

Try to see if that give you more information about what's happening on your server.

1 members found this post helpful.

Hi Sean,

Thank you so much for your input and for replying! I appreciate.

Well, I have of course tried many various options of this dig command before, but I did not see any errors, it has always said "no error". However, it gave me an idea to test dnsbl.sorbs.net which seems to have to work out better. I am also thinking to change dul.dnsbl.sorbs.net to dnsbl.sorbs.net Do you know what is the difference in between these two except for the fact that these are sub.sub.domains? The line without "dul" seems more appropriate to me. I will test it around to check it on Bind.

Also, I still cannot figure it out why Linux distros run without Bind in their packages and there are no ways to apt-get upgrade / apt-get upgrade bind9 internally so to speak and I have to do it manually from sources. Does anybody know if there are any extra lines required in my sources.list file to make "apt-get upgrade bind9" command work?

Many thanks!

The sub-domain is specific to one of the sorbs rbls...Dynamic IP Address ranges I believe. See sorbs.net for information about how to use their rbls.

1 members found this post helpful.

Thank you so much for your suggestion.

I do not see any special rules / requirements on how to use their rbl on their website (sorbs.net).

The weird thing is that when I dig it like this it works OK and says, "no errors":
However, when I test it from the network where my server runs from it says "connection timed out":
I checked my iptables and firewalls and there were no IP addresses of dnsbl.sorbs.net listed, that is at least the ones that I could get at the time of "digging" if you're saying they are dynamic.. I am a bit lost... I also checked my server's IP address (static) against sorbs spam lists and it says I am not listed there either. Any more suggestions, please? Am I caught in their firewalls / iptables somehow?

http://http://www.sorbs.net/general/using.shtml


I'd think a connection timeout would be about the name server at my.server's.ip.address, not SORBS.

Please review ALL of the information at sorbs.net. They are probably not going to respond to your questions about how to use their zones, given that they provide the information online.

I'm not sure that what you're trying to "test" is even remotely valid. The MTA queries sorbs DNS zones directly, I think.

Remind us what you're concerned about, please. When your MTA is configured properly, it will use SORBS as it's designed to be used.

Thank you so much for your follow ups with me on this, Sean. I appreciate.

Well, my initial and main concern was why I always seem to get "servfail" on SORBS when all the other RBLs work fine.

I've read of course their http://http://www.sorbs.net/general/using.shtml for many times but I meant to say that I couldn't find anything special to configure in my MTA in order for their RBLs to work. There are only general (as the link imples) usage pointers and instructions. My MTA is Postfix and it's very easy to set SORBS on it like this, as per guidance from sorbs.net: However, as you can see SORBS instruct to use their dnsbl.sorbs.net, not the dul.dnsbl.sorbs.net

Now, I've simply added my.server's.ip.address to this ACL option of BIND to allow-query and allow-recursion and it happily started to resolve when I run it manually through this:I have also restarted my BIND now and will let it run for sometime closely monitoring it live just to see if my work around helped.

It looks like that SORBS is the only one that "required" me to set my.server's.ip.address in my ACL to allow-query and allow-recursion, all the other RBLs are doing perfectly fine without it. This is also what I meant by "special" instructions possibly to be advised by SORBS as I could not find this info on their web-site anywhere... Although I am not really sure now if I go right about it all generally at all because I re-configured it my side... as there was one guy from the BIND mailing list who was frothing at the mouth to prove me that it was SORBS who denied connections and I couldn't possibly do anything about it my side to solve it...

Well, that is the super-set of their block lists:
I use only from SORBS. I don't recall why only those. I note, however, that in the last 61 hours, I've had -0- hits...
That is certainly a possibility, but I think they would have posted to their email lists were that the case, and I've seen nothing from them...'tho there is the -0- hits issue.

As I've said earlier, I've given up trying to run my own DNS servers since 1) I began to use my registrar's name servers for domains I host and 2) began to use my ISP's or datacenter's name servers for resolution, so I'm out of practice re: named and bind...and I can't check the logs to see if there are resolution issues.

Please let us know what you finally discover.

Hi there, Sean!

I appreciate your comments and replies as when you discuss it, it helps you out to see the correct way to go about your issue!

I will definitely post my "discoveries" if you are interested!

I like to be in control myself even if it takes a lot of time to master "the subject" :-)

Meanwhile, It's been running OK for the past 7 hours or so. I am still on it though.

I might as well change it over to just their super-set as it looks like a good idea. I fine-tuned all these RBLs quite some time ago and I guess I may have to revise it now:-)

Hi,

Here are my updates as you were interested.

Firstly, I changed it to dnsbl.sorbs.net (from dul.dnsbl.sorbs.net) after all.

Secondarily, I created separate logging. It looks like that when it isn't in accordance with the Bind's suggested set for example like this:

logging {
channel bind_log {
file "/var/log/bind/bind.log" versions 3 size 5m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
};

it dumps all sorts of kooky hiccup errors right into my syslog file directly. Now, as long as it is being logged the Bind's way I do not seem to have any issues with it at all. However, if I switch back to syslog for testing purposes I get these weird errors back again. That's how it stands at the moment.

I'm still getting -0- blocks from SORBS, although that could be because SORBS is the last method I use to block spam.
First, using tcpserver and a comprehensive block list we've developed over the years, we simply reject email from large numbers of servers. (44.15% of attempted connections)
Then, we check SPAMCop, followed by Spamhaus (SBL-XBL) before we check the short list of SORBS lists posted earlier.

Right. My SORBS blocks only 1 to 2 per day as well so I guess they are not a major player here. I think they take an "honorable" last place's trophy. Currently, the lion's share is being blocked by spamhaus.org in my case. In fact, Spamhaus has been the best for me for ages according to my simple daily statistics.

Speaking of statistics I was wondering how did you generate your statistics' table as per your last message? Was it done by a separate script?

I let my Postfix's postscreen do all the spam blocking which dramatically decreases my server's load and saves on resources pretty much, that's why I would need something like a python script to collect this kind of statistical data from my logs. I can only see it quite simplified per DNSBLs.

I also have a miracle happened! SORBS replied me two weeks after I had asked them a question! Wow! The president of the United States responds much faster than SORBS does. They must be really busy holding on to their "last place" amongst all the other RBLs. ))) But on the other hand it's better late than never as they say. ))) Although they did not say much. They recommend not to resolve dul.dnsbl.sorbs.net as an A record... not sure if I am in control of doing it. It may have something to do with my ACL perhaps.. I shall check.

That is part of the output of a perl script I wrote to analyze, report and graph the qmail mail log files and output as a web page.
It runs every hour. I point customers to it when they complain of too much spam to show what we're doing to mitigate what they see. I also use it to confirm that things are working well over time (the graphs all flat-line when the mail server is down, for example)
I think SORBS is pretty much a one-person shop, although I don't know that for sure. I've never seen any communication from anyone other than Michelle. I have always found them to be responsive, eventually.

Do you use any scripts or services to email you your logs? Could you share, please?

I have been using Logwatch for quite some time but they do not seem to have anything for Bind configured / created even in their last version. Their named part won't read and parse Bind9's logs.

There is this Logcheck that I also found but all they do is simply email you everything in bulk without ever processing and parsing it for statistics and summary.

I use logwatch. Don't need named/bind log reporting, tho. Logwatch is very customizable...from man logwatch: