DNSBL Resolution Issues

osgit

Member
Jan 12, 2021
48
5
8
I have one DNSBL that always has issues, not sure where the issue lies. Possibly DNS, but I'm not 100% sure. Looking for some ways to troubleshoot to verify the issue.

You can see the warnings here for spamrats:
Code:
Apr 14 17:22:46 smtp postfix/postscreen[3157]: warning: dnsblog reply timeout 10s for noptr.spamrats.com
Apr 14 17:22:46 smtp postfix/dnsblog[3168]: warning: dnsblog_query: lookup error for DNS query 120.228.185.89.noptr.spamrats.com: Host or domain name not found. Name service error for name=120.228.185.89.noptr.spamrats.com type=A: Host not found, try again

These are my DNSBL sites:
Code:
zen.spamhaus.org*2,bl.spamcop.net*2,psbl.surriel.com*2,spamrbl.imp.ch*2,noptr.spamrats.com*2,escalations.dnsbl.sorbs.net*2,bl.score.senderscore.com*2,bl.spameatingmonkey.net*2,rbl.realtimeblacklist.com*2,dnsbl.dronebl.org*2,ix.dnsbl.manitu.net,b.barracudacentral.org,truncate.gbudb.net,bl.blocklist.de

Thank you in advance for any tips. :)
 

hata_ph

Well-Known Member
Nov 13, 2019
835
169
48
43
Using zen.spamhaus.org*2,bl.mailspike.net,psbl.surriel.com,noptr.spamrats.com also having timeout with the spamrats DNSBL.
Maybe is their problem.

Code:
Apr 15 09:09:36 pmg postfix/postscreen[2782]: warning: dnsblog reply timeout 10s for noptr.spamrats.com
 
  • Like
Reactions: osgit

osgit

Member
Jan 12, 2021
48
5
8
Using zen.spamhaus.org*2,bl.mailspike.net,psbl.surriel.com,noptr.spamrats.com also having timeout with the spamrats DNSBL.
Maybe is their problem.

Code:
Apr 15 09:09:36 pmg postfix/postscreen[2782]: warning: dnsblog reply timeout 10s for noptr.spamrats.com
Yeah, I reached out to them and they said they are not having issues. This is happening on every transaction as well. I verified with them that I wasn't blocked or rate limited as well.
 

hata_ph

Well-Known Member
Nov 13, 2019
835
169
48
43
Maybe replace the spamrats.com with others DNSBL since there are many alternative.
 

osgit

Member
Jan 12, 2021
48
5
8
Maybe replace the spamrats.com with others DNSBL since there are many alternative.
Thank you for the suggestion! I've been looking for another that does the PTR lookup like noptr.spamrats.com does. Do you have a suggestion?
 

hata_ph

Well-Known Member
Nov 13, 2019
835
169
48
43
Thank you for the suggestion! I've been looking for another that does the PTR lookup like noptr.spamrats.com does. Do you have a suggestion?
Maybe you can try all.spamrats.com as it contain all of it lists.

https://spamrats.com/lists.php

Code:
Apr 16 07:42:48 pmg postfix/dnsblog[26701]: addr 107.174.142.77 listed by domain bl.mailspike.net as 127.0.0.11
Apr 16 07:42:48 pmg postfix/dnsblog[26702]: addr 107.174.142.77 listed by domain zen.spamhaus.org as 127.0.0.4
Apr 16 07:42:53 pmg postfix/dnsblog[26703]: addr 107.174.142.77 listed by domain all.spamrats.com as 127.0.0.38
 

osgit

Member
Jan 12, 2021
48
5
8
Local DNS resolver ?

What happens when you do a DNS lookup from localhost?
Fails:
Code:
host 127.0.0.1.noptr.spamrats.com
Host 127.0.0.1.noptr.spamrats.com not found: 2(SERVFAIL)

I use an upstream resolver (unbound) on a pfsense appliance. I've added the needed config options to allow for local resolution:
Code:
server:
private-address: 127.0.0.0/8
private-domain: "zen.spamhaus.org"
private-domain: "bl.spamcop.net"
private-domain: "psbl.surriel.com"
private-domain: "spamrbl.imp.ch"
private-domain: "noptr.spamrats.com"
private-domain: "escalations.dnsbl.sorbs.net"
private-domain: "bl.score.senderscore.com"
private-domain: "bl.spameatingmonkey.net"
private-domain: "rbl.realtimeblacklist.com"
private-domain: "dnsbl.dronebl.org"
private-domain: "ix.dnsbl.manitu.net"
private-domain: "b.barracudacentral.org"
private-domain: "truncate.gbudb.net"
private-domain: "bl.blocklist.de"
It also is NOT an open resolver, only internal requests, as I know they will block you if they see that...
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
6,995
1,084
164
  • Like
Reactions: osgit

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
6,995
1,084
164
could you try to (temporarily) disable the 'rebind attack' mitigation?

the SERVFAIL seems to be the cause of why the dnsbl's do not work - so we need to find the reason for that

if this does not help it might be a good idea to (temporarily) try one of the public resolvers (1.1.1.1, 8.8.8.8, 9.9.9.9) to rule this out.
 

osgit

Member
Jan 12, 2021
48
5
8
could you try to (temporarily) disable the 'rebind attack' mitigation?

the SERVFAIL seems to be the cause of why the dnsbl's do not work - so we need to find the reason for that

if this does not help it might be a good idea to (temporarily) try one of the public resolvers (1.1.1.1, 8.8.8.8, 9.9.9.9) to rule this out.
Yeah, same behavior. I've already allowed those domains using the private-domain option as well. I tested the public resolver as well, just to see and it doesn't work either.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!