On 13/09/2022 07:55, Cyril - ImprovMX via mailop wrote:
Hi everyone!
> [...]
>
Here's the Unbound configuration: https://pastebin.com/Bn7B3uCv (expires in
a month).
> [...]
>
1. The first issue is that it seems that we are querying URIBL using random
lower/upper case domains. We had queries such as:
- SoMeDoMaIn.cOM._custom_id.dF.URIbl.cOM
- AnOtHeRDoM.ApP._custom_id.dF.UrIbL.COM
- etc
You have set the use-caps-for-id option in unbound:
"Use 0x20-encoded random bits in the query to foil spoof attempts.
This perturbs the lowercase and uppercase of query names sent to
authority servers and checks if the reply still has the correct
casing. Disabled by default. This feature is an experimental
implementation of draft dns-0x20."
2. The other issue is even weirder. SA is trying to validate the domains by
trimming the left part up to the gTLDs :
- some.domain.com._custom_id.df.uribl.com
- domain.com._custom_id.df.uribl.com
- com._custom_id.df.uribl.com <-- wtf?
Somehow, something is trying to check up to the top TLD, where it's
useless. Again, I can't understand why SA would do that.
This is probably unbound doing what it does, recursive resolving (from
TLD all the way down).
Hope that helps,
--
Bernardo Reino
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
