Solved The query to zen.spamhaus.org was blocked due to usage of an open resolver.

[awzeak]

I have DirectAdmin 1.659 installed, local bind9 instance configured for recursion (I have ensured that it is working) and /etc/resolv.conf set to nameserver 127.0.0.1 to reflect the usage of local recursor (not an open resolver like 1.1.1.1), however as I can see from tcpdump and email headers at Mail Queue Administration, it is still using 1.1.1.1 (open resolver):

 pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE: The query to
                             zen.spamhaus.org was blocked due to usage of an
                              open resolver. See
                             https://www.spamhaus.org/returnc/pub/
                             [x.x.x.x listed in zen.spamhaus.org]

How can I fix this issue?

 

[Richard G]

How can I fix this issue?

Just to be sure... did you restart named/bind after making the change? I also presume it's the first line in the resolv.conf file.

Which distro are you using? I remember I once had some odd thing with using 127.0.0.1 on Debian 11.
You should be able to see the error if you login via SSH as root.

Then do an nslookup for example:

nslookup google.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   google.com
Address: 142.250.185.206
Name:   google.com
Address: 2a00:1450:4001:812::200e

If 127.0.0.1 is not working in your correctly, it will skip to the next in line and/or throw an error.

However, if this is working correctly then it must be something within DA and then I don't know. In some rare cases a reboot helps to fix odd things, but that is just a suggestion to try. Normally this shouldn't be needed.

 

[awzeak]

Just to be sure... did you restart named/bind after making the change? I also presume it's the first line in the resolv.conf file.

Exactly, I have double checked that named works as a local recursor (not availabe from public Internet but host google.com ::1 works as well as modified /etc/resolv.conf to use only ::1 and 127.0.0.1.

Which distro are you using? I remember I once had some odd thing with using 127.0.0.1 on Debian 11.
You should be able to see the error if you login via SSH as root.

Almalinux 9. Once again, I am sure no issue with standard Linux configuration:

[root@redacted ~]# host -v google.com
Trying "google.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59624
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.            IN    A

;; ANSWER SECTION:
google.com.        294    IN    A    142.250.203.142

Received 44 bytes from ::1#53 in 0 ms
Trying "google.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36932
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.            IN    AAAA

;; ANSWER SECTION:
google.com.        294    IN    AAAA    2a00:1450:401b:80e::200e

Received 56 bytes from ::1#53 in 0 ms
Trying "google.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15672
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.            IN    MX

;; ANSWER SECTION:
google.com.        294    IN    MX    10 smtp.google.com.

Received 49 bytes from ::1#53 in 0 ms

Normally this shouldn't be needed.

I am afraid of doing unnecessary reboot of DirectAdmin server, so would wait a bit to be sure

 

[Richard G]

[x.x.x.x listed in zen.spamhaus.org]

Almost must be this as cause then, probably your ip. Is your server ip listed in Spamhaus?
When this would be 1.1.1.1 (if that was still used) then you didn't need to mask it. So I'm getting the tought that the error of Spamhaus is maybe a bit off, but that the ip is listed.

 

[awzeak]

Is your server ip listed in Spamhaus?

No.

The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/

When this would be 1.1.1.1 (if that was still used) then you didn't need to mask it.

The masked IP address is my another email server which I relay using DirectAdmin. It is not listed at spamhaus, the "listing" is caused by 127.255.255.254 error code spamhaus returns when open resolver (like 1.1.1.1) is used for DNS lookups.

 

[Driesp]

If I understand correctly, you have configured your own named server as a DNS recursor.
Maybe spamhaus does really query your DNS server if it is an open resolver and denies the request because of (their) reasons. (and don't argue with their reasons)

I would suggest you:
Configure a prefix list in named to only allow recursion for your own specific IP ranges and wait until spamhaus detects you are not running an open resolver anymore.

Kr
Dries

 

[Driesp]

You could also sent me in pb your public IP that is used for the recursion, will test it if its an open resolver.
Please sent me the IP that you have masked with x.x.x.x as well if it is different.
I understand why you would mask it, but it causes more confusion for us to understand what is really going on..

 

[awzeak]

If I understand correctly, you have configured your own named server as a DNS recursor.

Yes.

Maybe spamhaus does really query your DNS server if it is an open resolver and denies the request because of (their) reasons. (and don't argue with their reasons)

No.

When doing query from CLI, ::1 is used. When DirectAdmin/Exim/SpamAssasin or whoever liable for DNSBL lookups doing lookup, 1.1.1.1 is used for some reason.

 

[Ohm J]

trying put "dns_server" into spamassassin

#/etc/mail/spamassassin/local.cf

dns_server 127.0.0.1

 

[Driesp]

I have queried your nameserver and can confirm it is not an open resolver. (you sent it to me via PB)
Could it be that your nameserver (your are using now) has been an open resolver, even for a brief moment?
If not. Then an issue is at the side of spamhaus.

Disable their dnsbl list (for some months) and try again later if you still want to use them.
Or try to contact them if you really are dedicated to using their list.

Kr
Dries

 

[awzeak]

Just applied the hotfix update from DirectAdmin, the issue does not appear anymore. Now I can confirm that all DNS queries are going to local recursor, not a Cloudflare one.

 

[EWH]

Hello!
Do i understand correctly that my resolv.conf setup was wrong all this time? ;/

It is:
```
nameserver 213.186.33.99
nameserver 74.82.42.42
nameserver 2606:4700:4700::1111
nameserver 2001:4860:4860::8844
```

This should be pointed to localhost?

 

[awzeak]

Hello!
Do i understand correctly that my resolv.conf setup was wrong all this time? ;/
This should be pointed to localhost?

If you want to use zen blacklist, it is better to have local recursor. As far as I know, there is no local recursor by default in DirectAdmin configured, so I would not recommend you to blindly modify /etc/resolv.conf.

 

[Richard G]

As far as I know, there is no local recursor by default in DirectAdmin configured

DA is running named, so normally there is always a local recursor present by default.
One can just use 127.0.0.1 in the /etc/resolv.conf file but ofcourse it's best to also check if it's working.
And add some others after it just to be sure.