DNSMasq breaks DNSBL! Fixed…

Posted on Posted in linux, system administration

So this was driving me nuts, and was effectively stopping me from turning off GMail and using my own e-mail server with RoundCube/ZPush. Basically, I get a ton of spam. One of the reasons I’d been using GMail is because the spam detection is great.

To block spammers, there are RDNSBLs (Reverse DNS Black Lists) that when performing a reverse DNS lookup return something in the 127.0.0.0/8 range if someone is on the “bad list”, and your MTA can be configured to block senders based on these responses.

At home, I have Tomato installed on my wireless router. I’m all set to use that as a DNS server to speed up and cache DNS lookups, but there is one problem: when a response comes back as 127.0.0.x from a DNS lookup, DNSMasq doesn’t like this and simply drops it. This is very bad for a RDNSBL, as it relies on exactly those type of responses.

I’ve been tinkering with getting this working forever, and tcpdump again helped me debug an application that wasn’t giving me much info. On my web/e-mail server, I watched the output of tcpdump for port 53, and waited a while until a spam message came through. I saw that Sendmail was doing the lookup, however each time it was simply letting the “bigger boobs” or whatever spam message through. I couldn’t for the life of me figure out why even my manual lookups were failing:

[root@webl001t mail]# nslookup 45.83.75.187.zen.spamhaus.org.
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
*** Can't find 45.83.75.187.zen.spamhaus.org.: No answer

<<< Note >>>: Repeat the above ad nauseam for about a month, on and off of course

Finally, I decided it was Sendmail that was the pain in the ass, and had to be my router. Just as a hunch, I unchecked “Use internal DNS”, and after a “service network restart” on the server, now the same DNS lookups were working!

[root@webl001t mail]# nslookup 45.83.75.187.zen.spamhaus.org.
Server:
Address:

Non-authoritative answer:
Name: 45.83.75.187.zen.spamhaus.org
Address: 127.0.0.4
Name: 45.83.75.187.zen.spamhaus.org
Address: 127.0.0.11

This, however, wasn’t the best solution as I’d rather not use my ISPs DNS servers if possible. But, I was finally on to something. Googling “DNSMasq DNSBL” came up with a lot of hits, and this discussion finally got me the answer.

After I added the below to my Tomato configuration under Advanced -> DNS/DHCP, I was finally good to go, still using my own DNS and also able to lookup domains with 127.0.0.0/8s in the response.

rebind-domain-ok=/rfc-ignorant.org/
rebind-domain-ok=/sorbs.net/
rebind-domain-ok=/uribl.com/
rebind-domain-ok=/surbl.org/
rebind-domain-ok=/dnswl.org/
rebind-domain-ok=/njabl.org/

[root@webl001t log]# nslookup 45.83.75.187.zen.spamhaus.org.
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
Name: 45.83.75.187.zen.spamhaus.org
Address: 127.0.0.4
Name: 45.83.75.187.zen.spamhaus.org
Address: 127.0.0.11

Leave a Reply

Your email address will not be published. Required fields are marked *