Problem unbound und spamhaus.org

Postfix, QMail, Sendmail, Dovecot, Cyrus, Courier, Anti-Spam
AWOHille
Posts: 270
Joined: 2011-09-05 09:00

Problem unbound und spamhaus.org

Post by AWOHille » 2018-04-13 14:30

Ich nutze u.a. zen.spamhaus.org in Verbindung mit Postscreen. Da lieg bisher problemlos. Seit einigen Tagen habe ich im Log

Code: Select all

RBL lookup error
Als DNS-Resolver nutze ich unbound. Ein Test brachte folgendes Ergebnis

Code: Select all

nslookup 2.0.0.127.zen.spamhaus.org
;; connection timed out; no servers could be reached
Das gleiche habe ich auf einer anderen VM getestet, ebenfalls unbound im Einsatz, das gleiche Ergebnis. Auf einer weiteren VM, wo Bind9 im Einsatz ist, kommt hingegen folgendes Ergebnis

Code: Select all

nslookup 2.0.0.127.zen.spamhaus.org
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   2.0.0.127.zen.spamhaus.org
Address: 127.0.0.2
Name:   2.0.0.127.zen.spamhaus.org
Address: 127.0.0.4
Name:   2.0.0.127.zen.spamhaus.org
Address: 127.0.0.10
Ich habe nun in einer frischen Test-VM unbound (default Config) installiert und bekomme ebenfalls den timed out. Nun stehe ich etwas auf dem Schlauch. Wo könnte das Problem liegen?

User avatar
Joe User
Project Manager
Project Manager
Posts: 11583
Joined: 2003-02-27 01:00
Location: Hamburg

Re: Problem unbound und spamhaus.org

Post by Joe User » 2018-04-13 15:37

Wie hast Du denn unbound konfiguriert (insbesondere forward-zone)?
Wie sieht die resolv.conf aus?
PayPal.Me/JoeUserFreeBSD Remote Installation
Wings for LifeWings for Life World Run

„If there’s more than one possible outcome of a job or task, and one
of those outcomes will result in disaster or an undesirable consequence,
then somebody will do it that way.“ -- Edward Aloysius Murphy Jr.

User avatar
Joe User
Project Manager
Project Manager
Posts: 11583
Joined: 2003-02-27 01:00
Location: Hamburg

Re: Problem unbound und spamhaus.org

Post by Joe User » 2018-04-13 15:39

Habe mit unbound (1.7.0) kein Problem:

Code: Select all

[root@devnoip:~] # drill 2.0.0.127.zen.spamhaus.org
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 64019
;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; 2.0.0.127.zen.spamhaus.org.  IN      A

;; ANSWER SECTION:
2.0.0.127.zen.spamhaus.org.     3600    IN      A       127.0.0.4
2.0.0.127.zen.spamhaus.org.     3600    IN      A       127.0.0.2
2.0.0.127.zen.spamhaus.org.     3600    IN      A       127.0.0.10

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 154 msec
;; SERVER: 127.0.0.1
;; WHEN: Fri Apr 13 15:38:14 2018
;; MSG SIZE  rcvd: 92
PayPal.Me/JoeUserFreeBSD Remote Installation
Wings for LifeWings for Life World Run

„If there’s more than one possible outcome of a job or task, and one
of those outcomes will result in disaster or an undesirable consequence,
then somebody will do it that way.“ -- Edward Aloysius Murphy Jr.

User avatar
Joe User
Project Manager
Project Manager
Posts: 11583
Joined: 2003-02-27 01:00
Location: Hamburg

Re: Problem unbound und spamhaus.org

Post by Joe User » 2018-04-13 15:45

Auch mit meinem Windows-Client im LAN kein Problem:

Code: Select all

C:\Users\Joe User>nslookup 2.0.0.127.zen.spamhaus.org
Server:  server1.rootservice.lan
Address:  fe80::1260:4bff:fe92:98c0

Nicht autorisierende Antwort:
Name:    2.0.0.127.zen.spamhaus.org
Addresses:  127.0.0.4
          127.0.0.2
          127.0.0.10
PayPal.Me/JoeUserFreeBSD Remote Installation
Wings for LifeWings for Life World Run

„If there’s more than one possible outcome of a job or task, and one
of those outcomes will result in disaster or an undesirable consequence,
then somebody will do it that way.“ -- Edward Aloysius Murphy Jr.

AWOHille
Posts: 270
Joined: 2011-09-05 09:00

Re: Problem unbound und spamhaus.org

Post by AWOHille » 2018-04-13 23:06

Code: Select all

resolv.conf
nameserver 127.0.0.1

Code: Select all

unbound.conf

server:

        directory: "/etc/unbound"
        username: unbound

        verbosity: 1
        interface: 127.0.0.1
        interface: ::1
        do-not-query-address: fe80::/10
        port: 53
        do-ip4: yes
        do-ip6: yes
        do-udp: yes
        do-tcp: yes

        hide-identity: yes
        hide-version: yes

        access-control: 0.0.0.0/0 refuse
        access-control: 127.0.0.0/8 allow
        access-control: ::0/0 refuse
        access-control: ::1 allow
        access-control: ::ffff:127.0.0.1 allow
        access-control: 192.168.0.0/24 allow

        statistics-interval: 0
        extended-statistics: yes

        statistics-cumulative: no

        logfile: "/var/log/unbound.log"
        pidfile: "/var/run/unbound.pid"

        prefetch: yes
        prefetch-key: yes

        num-threads: 2

        private-address: 10.0.0.0/8
        private-address: 172.16.0.0/12
        private-address: 192.168.0.0/16
        private-address: 192.254.0.0/16
        private-address: fd00::/8
        private-address: fe80::/10

        #name: .
        #forward-addr: 8.8.8.8


        remote-control:
        control-enable: no

include: "/etc/unbound/unbound.conf.d/*.conf"
Die Auflösung von z.B. google.com funktioniert hingegen problemlos

Code: Select all

nslookup google.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   google.com
Address: 172.217.21.238

User avatar
Joe User
Project Manager
Project Manager
Posts: 11583
Joined: 2003-02-27 01:00
Location: Hamburg

Re: Problem unbound und spamhaus.org

Post by Joe User » 2018-04-14 00:06

Hast Du Dich an https://www.spamhaus.org/organization/dnsblusage/ gehalten?


Steht in "/etc/unbound/unbound.conf.d/*.conf" noch etwas?


Zum Vergleich mal meine unbound.conf:

Code: Select all

[root@devgate:~] # sed -e '/^[[:space:]]*#/d' -e '/^[[:space:]]*$/d' /usr/local/etc/unbound/unbound.conf
server:
        verbosity: 1
        num-threads: 4
        interface: 0.0.0.0
        interface: ::0
        port: 53
        outgoing-range: 32768
        so-rcvbuf: 4m
        so-sndbuf: 4m
        msg-cache-size: 256m
        msg-cache-slabs: 8
        num-queries-per-thread: 4096
        rrset-cache-size: 256m
        rrset-cache-slabs: 8
        cache-min-ttl: 3600
        cache-max-ttl: 86400
        infra-cache-slabs: 8
        infra-cache-numhosts: 100000
        do-ip4: yes
        do-ip6: yes
        do-udp: yes
        do-tcp: yes
        access-control: 0.0.0.0/0 refuse
        access-control: 127.0.0.0/8 allow
        access-control: ::0/0 refuse
        access-control: ::1 allow
        access-control: ::ffff:127.0.0.1 allow
        access-control: 10.0.0.0/8 allow
        access-control: 172.16.0.0/12 allow
        access-control: 192.168.0.0/16 allow
        access-control: 169.254.0.0/16 allow
        access-control: fe80::/10 allow
        access-control: ::ffff:0:0/96 allow
        logfile: "/usr/local/etc/unbound/unbound.log"
        root-hints: "/usr/local/etc/unbound/root.hints"
        hide-identity: yes
        hide-version: yes
        harden-short-bufsize: yes
        harden-large-queries: yes
        harden-glue: yes
        harden-dnssec-stripped: yes
        harden-below-nxdomain: yes
        harden-algo-downgrade: yes
        qname-minimisation: yes
        use-caps-for-id: yes
        private-address: 10.0.0.0/8
        private-address: 172.16.0.0/12
        private-address: 192.168.0.0/16
        private-address: 169.254.0.0/16
        private-address: fe80::/10
        private-address: ::ffff:0:0/96
        unwanted-reply-threshold: 10000
        do-not-query-localhost: no
        prefetch: yes
        rrset-roundrobin: yes
        minimal-responses: yes
        auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
        val-clean-additional: yes
python:
remote-control:
forward-zone:
        name: "."
        forward-addr: 2606:4700:4700::1111        # Cloudflare
        forward-addr: 1.1.1.1                     # Cloudflare
        forward-addr: 2001:4860:4860::8888        # Google
        forward-addr: 8.8.8.8                     # Google
        forward-addr: 2620:fe::fe                 # Quad9
        forward-addr: 9.9.9.9                     # Quad9
        forward-addr: 2001:1608:10:25::1c04:b12f  # DNS Watch
        forward-addr: 84.200.69.80                # DNS Watch
        forward-addr: 216.146.35.35               # Dyn Public
        forward-addr: 216.146.36.36               # Dyn Public
Und meine resolv.conf

Code: Select all

[root@devgate:~] # sed -e '/^[[:space:]]*#/d' -e '/^[[:space:]]*$/d' /etc/resolv.conf
nameserver 127.0.0.1
nameserver ::1
options edns0 ndots:1 timeout:0.3 attempts:1 rotate
PayPal.Me/JoeUserFreeBSD Remote Installation
Wings for LifeWings for Life World Run

„If there’s more than one possible outcome of a job or task, and one
of those outcomes will result in disaster or an undesirable consequence,
then somebody will do it that way.“ -- Edward Aloysius Murphy Jr.

AWOHille
Posts: 270
Joined: 2011-09-05 09:00

Re: Problem unbound und spamhaus.org

Post by AWOHille » 2018-04-15 22:34

Danke erst mal für deine Antwort. Mittlerweile konnte ich das Problem lösen. Spamhaus hat wohl große Teile des Hetzners IP-Adressbereich gesperrt. Mehrere User haben ähnliche Probleme

http://postfix.1071664.n5.nabble.com/DN ... 94112.html

Die Installationen, wo ich Bind im Einsatz habe, liegen außerhalb von Hetzner, daher waren dort keine Problem zu finden. Ich habe nun in die resolv.conf einen zusätzlichen nameserver Eintrag eingefügt, so dass das Problem vorerst behoben ist.

User avatar
Joe User
Project Manager
Project Manager
Posts: 11583
Joined: 2003-02-27 01:00
Location: Hamburg

Re: Problem unbound und spamhaus.org

Post by Joe User » 2018-04-16 00:13

Interressant, dann habe ich Glück, dass meine Hetzner-IPs nicht betroffen sind.
PayPal.Me/JoeUserFreeBSD Remote Installation
Wings for LifeWings for Life World Run

„If there’s more than one possible outcome of a job or task, and one
of those outcomes will result in disaster or an undesirable consequence,
then somebody will do it that way.“ -- Edward Aloysius Murphy Jr.