check_rbl icon indicating copy to clipboard operation
check_rbl copied to clipboard

Published 20 hours ago verified publisher icon matteocorti

add option and/or fallback code for "127.255.255.254 Any Query via public/open resolver" (found on zen.spamhaus.org)

Open pbiering opened this issue 3 years ago • 10 comments
trafficstars

Hi,

I'm sure not the only one who got hit by the zen.spamhaus.org limitation related query through open resolver...

Thank you for adding -n option already to upstream (version 1.7.0)!

A further improvement would be having capability to query authorative NS directly by option (e.g. "always use authorative NS") or at least in fallback case if 127.255.255.254 was returned (can be that other services will turn on such "friendly" feature in the future).

This would require some code extension running NS query on each -s <server> domain and use returned NS records for further lookups per -s <server>....not that easy to implement imho...

For now I have carved out the zen.spamhaus.org check into a dedicated check.

Related problem is how to tell postfix (postscreen_dnsbl_sites feature) and/or local resolver not using public resolvers for a specific domain...for now the use of zen.spanhaus.org turns useless in case of system uses public resolvers instead of a local installed caching DNS server.

Best Regards!

pbiering avatar Sep 09 '22 07:09 pbiering

Dear Peter,

Just to be sure. In the case of -s zen.spamhouse.org I would look for the authoritative name server for spamhouse.org:

$ host -t soa spamhouse.org
spamhouse.org has SOA record ns1.bodis.com. dnsadmin.bodis.com. 2017062202 10800 3600 1209600 3600

and then use ns1.bodis.com for the queries related to *.spamhouse.org?

Seems a good way to always avoid the problem.

matteocorti avatar Sep 10 '22 05:09 matteocorti

NS server in SOA record not reliable and only 1 entry, better to retrieve NS records:

host -t ns zen.spamhaus.org
zen.spamhaus.org name server a.gns.spamhaus.org.
zen.spamhaus.org name server b.gns.spamhaus.org.
zen.spamhaus.org name server c.gns.spamhaus.org.
zen.spamhaus.org name server d.gns.spamhaus.org.
zen.spamhaus.org name server e.gns.spamhaus.org.

and run the query through the list. Best on all NS entries, because one can be out-of-sync or unreachable.

(note: the correct domain is spamhaus.org, not spamhouse.org - for to me unknown reason one used the German word here in the far past)

pbiering avatar Sep 10 '22 06:09 pbiering

Hello, have you found a way to check zen.spamhaus.org? it's widely used, like check_rbl :)

blacktek avatar Apr 30 '23 06:04 blacktek

I'm currently using this here:

monitoring-plugins/check_rbl-1.7.0 -H <MY-SERVER-IP> -t 60 -w 1 -c 1 -s zen.spamhaus.org -n a.gns.spamhaus.org

pbiering avatar Apr 30 '23 07:04 pbiering

Hello, I'll be out of office until the 1st of May.

I'll reply on my return.

Kind Regards, TT

blacktek avatar Apr 30 '23 07:04 blacktek

I'm currently using this here:

monitoring-plugins/check_rbl-1.7.0 -H <MY-SERVER-IP> -t 60 -w 1 -c 1 -s zen.spamhaus.org -n a.gns.spamhaus.org

Unfortunatley this is not working for me. I also tried b.gns.spamhaus.org, c.gns.spamhaus.org, etc. Using my ISPs DNS Server or setting up conditional forwarding in windows dns on my domain controllers doesn't work either. I always get the return code 127.255.255.254 from zen.spamhaus.org. Any ideas?

audiocoach avatar Nov 14 '23 21:11 audiocoach

In this case the -A option should used, but it's not implemented yet...

matteocorti avatar Nov 15 '23 10:11 matteocorti

@audiocoach : with option -n should work, can you show debug output?

Example from here

monitoring-plugins/check_rbl-1.7.0 -H <MY-SERVER-IP> -t 60 -w 1 -c 1 -s zen.spamhaus.org -n b.gns.spamhaus.org -d
[DBG] validate(5.189.185.206, 5.189.185.206)
[DBG] Using DNS Resolver: 195.123.211.8 95.217.25.77
[DBG] reading...<MY-SERVER-IP-REVERSE>.zen.spamhaus.org
[DBG] name = <MY-SERVER-IP-REVERSE>.zen.spamhaus.org, outstanding = 1
[DBG] reading...EOF.
[DBG] waiting for replies
[DBG] replies received: 1
[DBG] handling a reply
[DBG] callback( <MY-SERVER-IP-REVERSE>.zen.spamhaus.org, <undefined> )
[DBG] callback( <MY-SERVER-IP-REVERSE>.zen.spamhaus.org, <undefined> )
[DBG] outstanding = 0, eof = 1
CHECK_RBL OK - <MY-SERVER-IP> (<MY-HOSTNAME>) BLACKLISTED on 0 servers of 1 | servers=0;0;0 time=0s;;

and please also retrieve output using dig directly:

dig A <MY-SERVER-IP-REVERSE>.zen.spamhaus.org @b.gns.spamhaus.org | grep -v "^;" | grep -v "^$"
zen.spamhaus.org.	10	IN	SOA	need.to.know.only. hostmaster.spamhaus.org. 2311152017 3600 600 432000 10

if you receive also valid A records, then your server IP itself is blacklisted...

pbiering avatar Nov 15 '23 20:11 pbiering

In this case the -A option should used, but it's not implemented yet...

Can you give an estimate when it will be implemented?

thomas-maeder avatar Jan 23 '24 08:01 thomas-maeder

No I cannot. It's an open source project and anybody can contribute. At the moment I don't have the time ...

matteocorti avatar Jan 23 '24 08:01 matteocorti