error message cannot resolve maps.rspamd.com: query refused

Redis for rSpamd is using sockets, your installation tries TCP port.

If your rSpamd installation is customized then it requires an update of configs.
If your installation is default, then you might need to remove /etc/rspamd/ reinstall rSpamd.
 
error message
 

Attachments

  • q112.png
    q112.png
    35.8 KB · Views: 12
  • qq.png
    qq.png
    4.8 KB · Views: 12
I solved the problem for now.

etc/rspamd/option.inc modify dns {


nameserver = ["8.8.8.8:53:1"];
 
If you want to use 127.0.0.1:53 you should first configure your named to serve as a caching or forwarding DNS. These roles are disabled by default.
Sorry to bug you about this, i've been trying to read up on this, and it seems that, to turn on dns caching, all i need to do is to set
Code:
recursion yes;

in the file /etc/named.conf

However, as i understand it, this would leave my server open to exploitation in DDNS amplification attacks..

The options section, as it is now, looks like this:
Code:
options {
    allow-transfer { none; };
    listen-on port 53 { any; };
    listen-on-v6 port 53 { any; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    secroots-file    "/var/named/data/named.secroots";
    recursing-file    "/var/named/data/named.recursing";
    allow-query     { any; };

    /*
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable
       recursion.
     - If your recursive DNS server has a public IP address, you MUST enable access
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface
    */
    recursion no;

    dnssec-enable yes;
    dnssec-validation yes;

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";

    /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
    include "/etc/crypto-policies/back-ends/bind.config";
};

i'd greatly appreciate any advice you may have regarding enabling the DNS cache..

PS: regarding security, this server also hosts a number of websites/email, so i assume that's why it's set to
Code:
allow-query     { any; };

Thank You in advance!
 
allow-query { any; };

If you change the option to none (for example) it will make named to deny any query from anybody. So all DNS queries about hosted domains will be denied too. The option can be changed only if all hosted domains use a remote DNS.

As of the case with a recursion, you can control it with an option allow-recursion { } See https://kb.isc.org/docs/aa-00269 for more details.
 
ok, so..
here's what i did..

in /etc/named.conf
i changed recursion to yes
and added:
allow-query-cache { localhost; localnets; };
allow-recursion { localhost; localnets; };

then, in /etc/rspamd/options.inc
i set
nameserver = ["127.0.0.1:53:8", "1.0.0.1:53:1", "8.8.8.8:53:1"];

i hope that will resolve this issue, and i hope it doesn't leave my server open to DDNS amplification attacks..
i will post if there are issues..
 
Try dig gmail.com @127.0.0.1 from the server console and you will see how it works.
 
Back
Top