error message cannot resolve maps.rspamd.com: query refused

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,739
Location
GMT +7.00
Redis for rSpamd is using sockets, your installation tries TCP port.

If your rSpamd installation is customized then it requires an update of configs.
If your installation is default, then you might need to remove /etc/rspamd/ reinstall rSpamd.
 

hqn34

Verified User
Joined
Nov 7, 2022
Messages
7
error message
 

Attachments

  • q112.png
    q112.png
    35.8 KB · Views: 11
  • qq.png
    qq.png
    4.8 KB · Views: 11

hqn34

Verified User
Joined
Nov 7, 2022
Messages
7
I solved the problem for now.

etc/rspamd/option.inc modify dns {


nameserver = ["8.8.8.8:53:1"];
 

petersconsult

Verified User
Joined
Sep 10, 2021
Messages
44
If you want to use 127.0.0.1:53 you should first configure your named to serve as a caching or forwarding DNS. These roles are disabled by default.
Sorry to bug you about this, i've been trying to read up on this, and it seems that, to turn on dns caching, all i need to do is to set
Code:
recursion yes;

in the file /etc/named.conf

However, as i understand it, this would leave my server open to exploitation in DDNS amplification attacks..

The options section, as it is now, looks like this:
Code:
options {
    allow-transfer { none; };
    listen-on port 53 { any; };
    listen-on-v6 port 53 { any; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    secroots-file    "/var/named/data/named.secroots";
    recursing-file    "/var/named/data/named.recursing";
    allow-query     { any; };

    /*
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable
       recursion.
     - If your recursive DNS server has a public IP address, you MUST enable access
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface
    */
    recursion no;

    dnssec-enable yes;
    dnssec-validation yes;

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";

    /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
    include "/etc/crypto-policies/back-ends/bind.config";
};

i'd greatly appreciate any advice you may have regarding enabling the DNS cache..

PS: regarding security, this server also hosts a number of websites/email, so i assume that's why it's set to
Code:
allow-query     { any; };

Thank You in advance!
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,739
Location
GMT +7.00
allow-query { any; };

If you change the option to none (for example) it will make named to deny any query from anybody. So all DNS queries about hosted domains will be denied too. The option can be changed only if all hosted domains use a remote DNS.

As of the case with a recursion, you can control it with an option allow-recursion { } See https://kb.isc.org/docs/aa-00269 for more details.
 

petersconsult

Verified User
Joined
Sep 10, 2021
Messages
44
ok, so..
here's what i did..

in /etc/named.conf
i changed recursion to yes
and added:
allow-query-cache { localhost; localnets; };
allow-recursion { localhost; localnets; };

then, in /etc/rspamd/options.inc
i set
nameserver = ["127.0.0.1:53:8", "1.0.0.1:53:1", "8.8.8.8:53:1"];

i hope that will resolve this issue, and i hope it doesn't leave my server open to DDNS amplification attacks..
i will post if there are issues..
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,739
Location
GMT +7.00
Try dig gmail.com @127.0.0.1 from the server console and you will see how it works.
 
Top