Re: How to prevent SA to make as112 calls?
At 05:09 28-04-2011, Michelle Konzack wrote: It has nothing to do with my Mailserver, because SA makes the requests to other DNS servers and then I get the UDP-Flood alarm... See http://tools.ietf.org/html/draft-ietf-dnsop-as112-under-attack-help-help-05 04/24/2011 23:52:56 **UDP flood** 192.168.0.69, 17549- 173.45.100.146, 53 (from COM1 Outbound) You can create the zones mentioned in http://tools.ietf.org/html/draft-ietf-dnsop-default-local-zones-15 Regards, -sm
Re: How to prevent SA to make as112 calls?
On Thu, 28 Apr 2011 06:29:09 +0200, Michelle Konzack linux4miche...@tamay-dogan.net wrote: 192.168.0.91Workstation 192.168.0.69Intranet Server 78.47.247.21Mail-Relay x.y.z.n some_other_destination_server fqdn first, non fqdn host last 127.0.0.1 localhost.localdomain localhost not as this 127.0.0.1 localhost foo bar 192.168.0.91Workstation 78.47.247.21Mail-Relay x.y.z.n some_other_destination_server then it works. And it is definitively spamassassin which score my mail VERY high which lead to rejecting my messages. checking if rfc1918 ips is blacklisted on rbl is waste of cpu time :)
Re: How to prevent SA to make as112 calls?
Hello Martin Gregorie, Am 2011-04-28 19:35:18, hacktest Du folgendes herunter: CORRECTIONS: That looks OK. I assume you've configured the server to be authoritative for the private.tamay-dogan.net domain, in which case: a) requests for unknown host names will be rejected immediately as 'unknown' [ command 'dig ANY dns.private.tamay-dogan.net' ]-- dns.private.tamay-dogan.net. 14400 IN A 192.168.0.74 dns.private.tamay-dogan.net. 14400 IN RRSIG A 5 4 14400 20110517193357 20110417193357 47103 private.tamay-dogan.net. FPdc7WqUMorG6dmXcQk4MqYoMYuJ9U7he1njvlmBvMYNmC0NIU2MtuYg aUNihHnNPZv4ZBA2+FyEaSM5AqWMQXX6botpdBrxgHewG6wVSCXaYdks XdL4udOeIWYBaHk6INHhz5Xr/FDFUKg5xg81xuShpp5ivte0dTwiKfyt 4BM= dns.private.tamay-dogan.net. 86400 IN NSEC easybox.private.tamay-dogan.net. A RRSIG NSEC dns.private.tamay-dogan.net. 86400 IN RRSIG NSEC 5 4 86400 20110517193357 20110417193357 47103 private.tamay-dogan.net. ii4Ev9wmqiKJV+zGD3rMZ0nzjh4OauxswC9qnAFgdPRyL12EszGkDW6j kxU/SNFoK1T6F2ojNOCVJjLDPjV3/yrVlKoWeB1EJZZFyzafXF3bKBYi WHlGaBiIX3Sf3c2d4pAYShwK1rBIiUyEvlcBVMRGNUshVdqscyRsacI+ bcQ= private.tamay-dogan.net. 3600 IN NS dns.private.tamay-dogan.net. real0m0.019s user0m0.004s sys 0m0.008s [ command 'dig ANY spamassassin.private.tamay-dogan.net' ]-- private.tamay-dogan.net. 3600 IN SOA dns1.tamay-dogan.net. hostmaster.tamay-dogan.net. 1303072426 10800 3600 604800 86400 real0m0.020s user0m0.012s sys 0m0.000s [ command 'dig ANY spamassassin.tamay-dogan.net' ]-- tamay-dogan.net.3600IN SOA dns1.tamay-dogan.net. hostmaster.tamay-dogan.net. 1303072426 10800 3600 604800 86400 real0m0.022s user0m0.000s sys 0m0.008s [ command 'time dig ANY spamer.foo.net' ]--- spamer.foobar.net. 300 IN A 208.87.32.68 foobar.net. 172799 IN NS ns1.hostingnet.com. foobar.net. 172799 IN NS ns2.hostingnet.com. ns1.hostingnet.com. 3600IN A 208.87.32.72 ns2.hostingnet.com. 3600IN A 64.69.82.199 real0m0.976s user0m0.000s sys 0m0.016s b) requests for unknown IPs in outside subnet 0 will be rejected ^^^ immediately as 'unreachable' [ command 'time dig +all -x 192.168.5.5' ]-- ; DiG 9.6-ESV-R4 ANY +all -x 192.168.5.5 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 37973 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;5.5.168.192.in-addr.arpa. IN ANY ;; AUTHORITY SECTION: 168.192.in-addr.arpa. 37 IN SOA prisoner.iana.org. hostmaster.root-servers.org. 2008072202 21600 3600 1209600 86400 ;; Query time: 0 msec ;; SERVER: 192.168.0.74#53(192.168.0.74) ;; WHEN: Fri Apr 29 18:27:41 2011 ;; MSG SIZE rcvd: 119 real0m0.022s user0m0.008s sys 0m0.008s Oops? The request was made on my Workstation 192.168.0.91 where the NS is 192.168.0.74. So, from the AUTHORITY SECTION I can see, my NS server has asked the Internet (as a forwarder) and the response came from the server prisoner.iana.org which is a part of the AS112 project. Blocking anything except 192.168.0, 192.168.1 and 192.168.2 would mean I have to setup blocks on 1000th of subnets... c) BUT requests for unknown IPs in subnet 0 or for valid hostnames where the machine is turned off will cause an anycast to be sent out and will only be rejected when the request times out. The default timeout for my (Linux) ping is 3 seconds. Unknown IP: [ command 'time dig +all -x 192.168.0.5' ]-- ; DiG 9.6-ESV-R4 ANY +all -x 192.168.0.5 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 49770 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;5.0.168.192.in-addr.arpa. IN ANY ;; AUTHORITY SECTION: 0.168.192.in-addr.arpa. 38400 IN SOA dns.private.tamay-dogan.net. hostmaster.tamay-dogan.net. 1303058100 10800 3600 604800 86400 ;; Query time: 1 msec ;; SERVER: 192.168.0.74#53(192.168.0.74) ;; WHEN: Fri Apr 29 18:38:27 2011 ;; MSG SIZE rcvd: 116 real0m0.030s user0m0.012s sys 0m0.000s valid hostname where the machine is turned off: [ command 'dig ANY +all acc336.private.tamay-dogan.net' ]--- ; DiG
Re: How to prevent SA to make as112 calls?
On Tue, 26 Apr 2011 01:24:49 +0200, Michelle Konzack linux4miche...@tamay-dogan.net wrote: since I use a Vodafone Easybox 803A I have encountered, that SA is making of several 1000 as112¹ calls per day... sa call on mobile phone ? My Intranet use 192.168.0.* and *.private.tamay-dogan.net and work correctly, since ages but can someone give me tips how to stop SA to check for private IP's? trusted_networks 10.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 i am unsure about ipv6, could test it on my ipv6 host later ¹ http://public.as112.net/ sa wont care :) as i read the page you like to have local cached dns rbl while testing emails with spamassassin and still have dial on demand keep it offline ? if thats the case you need to debug dns to see what trigger online requsts tp have such dna in rsync access lists, so rbl check does not need online mode rndc querylog
Re: How to prevent SA to make as112 calls?
Hello Michelle, Thursday, April 28, 2011, 5:29:09 AM, you wrote: MK I do not know whether I should do this, because the 10.x.y.z comes from MK my ISP (Telefonica/O2) and from the view of my network, it is OUTSIDE. Don't you want to trust back to 78.47.247.21 and no further? -- Best regards, Niamhmailto:ni...@fullbore.co.uk pgpD41kMNX23e.pgp Description: PGP signature
Re: How to prevent SA to make as112 calls?
Hello Niamh Holding, Am 2011-04-28 07:08:54, hacktest Du folgendes herunter: Don't you want to trust back to 78.47.247.21 and no further? It has nothing to do with my Mailserver, because SA makes the requests to other DNS servers and then I get the UDP-Flood alarm... 04/24/2011 23:52:56 **UDP flood** 192.168.0.69, 17549- 173.45.100.146, 53 (from COM1 Outbound) 04/24/2011 23:53:26 SMTP Succeed in sending alert mail. 04/24/2011 23:54:22 **UDP Flood Stop** 04/24/2011 23:54:52 SMTP Succeed in sending alert mail. snip 04/26/2011 18:57:04 **UDP flood** 192.168.0.69, 22425- 84.53.146.21, 53 (from COM1 Outbound) 04/26/2011 18:57:06 **UDP flood** 192.168.0.69, 24812- 216.239.38.10, 53 (from COM1 Outbound) 04/26/2011 18:57:08 **UDP flood** 192.168.0.69, 37682- 80.157.149.228, 53 (from COM1 Outbound) 04/26/2011 18:57:10 **UDP Flood Stop** (from COM1 Outbound) 04/26/2011 18:57:34 SMTP Succeed in sending alert mail. 04/26/2011 18:58:04 SMTP Succeed in sending alert mail. 04/26/2011 18:58:34 SMTP Succeed in sending alert mail. 04/26/2011 18:59:05 SMTP Succeed in sending alert mail. And the weird thing is, I was at a friend with my second EasyBox 803 A and it has the same problem here... But now we disconnect the USB-GSM- Stick and pluged in the ISDN/ADSL line and now the UDP-Foods are gone. Which mean, it must have something to do with the private IP Address range 10.x.y.z from Telefonica/O2, because on ADSL I have a public IP. Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsystems@tdnet France EURL itsystems@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature
Re: How to prevent SA to make as112 calls?
On Thu, 2011-04-28 at 06:29 +0200, Michelle Konzack wrote: Hello Martin Gregorie, Am 2011-04-26 23:59:23, hacktest Du folgendes herunter: Now I'm confused. AFAIK SA doesn't have any connection with AS112 lookups as either client or server - unless there's a plugin that hasn't been mentioned on this list since I joined. If I'm wrong about this I expect somebody will speak up and correct me I've looked a little more into this and made this note for myself: The AS112 Project (The Nameservers at the End of the Universe) is intended to provide a clean, well defined destination for DNS queries concerning RFC1918 and other DSUA networks. The intention seems to be to intercept and reply to the anycasts that originate from a local DNS when it is sent a request for the IP of a valid name that happens to be offline or outside the private RFC1918 network. The intention is to prevent these requests from flooding out onto the wider internet. Its quite easy to see this traffic with Wireshark: just send a request to your local DNS server for the IP of a host that is either turned off or has a valid A record but doesn't exist. The DNS realises its been sent a valid request that it can't answer, so it slaps an anycast out to the net asking who recognises this name and/or IP. Running 'ping -c1 hostname' is a good trigger to show this behaviour. If your router has an AS122 server in it but is still letting anycasts asking about RFC1918 IPs such as 192.168.x.y or 10.x.y.z than its either disabled or misconfigured. Hmm, there are some enterprises or such which are checking ALL Received: headers using spamassassin instead of checking the most recent SMTPRelay and the are bouncing my messages because I send my messages over my intranet server to my SMTP-Relay 192.168.0.91Workstation 192.168.0.69Intranet Server 78.47.247.21Mail-Relay x.y.z.n some_other_destination_server and if I send the mail like 192.168.0.91Workstation 78.47.247.21Mail-Relay x.y.z.n some_other_destination_server then it works. And it is definitively spamassassin which score my mail VERY high which lead to rejecting my messages. It sounds like 192.168.0.69 isn't in your trusted_networks list and should be. Since not all incoming messages (I use fetchmail have this as112 problm) I also work this way except that I use getmail to read mail from the POP3 server (my ISP's mailserver). I use getmail in place of fetchmail because I got tired of the fetchmail bug that causes a list of unread messages to build up on the POP3 server (I configure it to delete all messages at the end of each fetch session and to ignore messages that have been read). I configure getmail the same way and don't see any problems with it.. I added the POP3 server to my trusted_networks list to prevent some FPs. However, the mail redirection server run by my domain host, which redirects mail to my ISP's mail server, is not on my trusted_networks list and doesn't need to be. Since the UDP-Synflood mail claim, it comes from 192.168.0.69 requesting port 53, it can ony be spamassassin, because there no other tools making such requests. Agreed - those are DNS lookups, probably caused by SA querying UBL lists. Only Wireshark or another TCP packet monitor can tell you that for sure. No, because to install an AS112 server you need a BGA-Router like quaga which I do not have on my GSM connection. I thought you said there is one in your Vodafone EasyBox? As I asked above, are you sure that server is configured correctly and enabled? DNS queries for RFC1918 networks (in your case 10.x.y.z and 192.168.x.y IP addresses) should never travel out of your network since they have no meaning outside it. I meant just to make sure that all IPs that you consider part of your intranet are in zone files on your internal DNS (192.168.0.74) and to I have the full zome here like: That looks OK. I assume you've configured the server to be authoritative for the private.tamay-dogan.net domain, in which case: a) requests for unknown host names will be rejected immediately as 'unknown' b) requests for unknown IPs in subnet 0 will be rejected immediately as 'unreachable' c) BUT requests for unknown IPs in subnet 0 or for valid hostnames where the machine is turned off will cause an anycast to be sent out and will only be rejected when the request times out. The default timeout for my (Linux) ping is 3 seconds. Case C is one where an operating AS112 server in your router should prevent the anycasts from leaving your intranet and will increase throughput by eliminating the timeout. I do this for exactly the same reason... OK, I have 12 servers and 3 workstations here, but /etc/hosts is no option. Agreed - I don't think its an option with more than two hosts on a network. I do not know whether I should do this, because the 10.x.y.z comes from my ISP (Telefonica/O2) and from
Re: How to prevent SA to make as112 calls?
CORRECTIONS: That looks OK. I assume you've configured the server to be authoritative for the private.tamay-dogan.net domain, in which case: a) requests for unknown host names will be rejected immediately as 'unknown' b) requests for unknown IPs in outside subnet 0 will be rejected ^^^ immediately as 'unreachable' c) BUT requests for unknown IPs in subnet 0 or for valid hostnames where the machine is turned off will cause an anycast to be sent out and will only be rejected when the request times out. The default timeout for my (Linux) ping is 3 seconds. Martin
Re: How to prevent SA to make as112 calls?
On Tue, 2011-04-26 at 01:24 +0200, Michelle Konzack wrote: Hi *, since I use a Vodafone Easybox 803A I have encountered, that SA is making of several 1000 as112¹ calls per day... My Intranet use 192.168.0.* and *.private.tamay-dogan.net and work correctly, since ages but can someone give me tips how to stop SA to check for private IP's? ¹ http://public.as112.net/ How is the AS112 server in your Easybox configured? Can you configure it to turn your local intranet addresses into local loopbacks? From a quick scan of that website I'd guess that the AS112 server in the Easybox has no 'local loopbacks' configured and so is defaulting to sending lookups on them to the AS112 project's servers. I wonder, too, if you could short-circuit the Easybox AS112 server by running your own internal caching DNS server (using bind 8 or 9) and configuring it to be authoritative for all valid Intranet addresses. There is a suggestion on the AS112 project website that this is a good thing to do. Martin
Re: How to prevent SA to make as112 calls?
Hello Martin Gregorie, Am 2011-04-26 10:44:13, hacktest Du folgendes herunter: How is the AS112 server in your Easybox configured? Can you configure it to turn your local intranet addresses into local loopbacks? This problem started, when I switched from DSL to GSM Service where in GSM I have an IP 10.x.y.z. It seems, that spamassassin is confused because I have a NS master private.tamay-dogan.net and a forwarder and now traffic is not ending ina publich dynamic IP but another private one UMTS: Verbunden Netzbetreiber: o2 - de Signal: UMTS (Gut) WAN IP: 10.165.11.117 Subnetzmaske: 255.255.255.255 Gateway:10.165.11.117 Primärer DNS: 192.168.0.74 Sekundärer DNS: 217.47.247.21 Note 1: It was someone who told me ist is as112 flooding Note 2: 192.168.0.69 is the Intranet Server and 192.168.0.74 is my private DNS which run currently on the same host because a broken server. Also 192.168.0.74 is the MASTER for my dns1.tamay-dogan.net plus dns2 and dns3. From a quick scan of that website I'd guess that the AS112 server in the Easybox has no 'local loopbacks' configured and so is defaulting to sending lookups on them to the AS112 project's servers. I wonder, too, if you could short-circuit the Easybox AS112 server by running your own internal caching DNS server (using bind 8 or 9) and configuring it to be authoritative for all valid Intranet addresses. There is a suggestion on the AS112 project website that this is a good thing to do. But if I change the two DNS to 0.0.0.0 I will get the one of my provider which are crap... Martin Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsystems@tdnet France EURL itsystems@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature
Re: How to prevent SA to make as112 calls?
On Tue, 2011-04-26 at 20:23 +0200, Michelle Konzack wrote: This problem started, when I switched from DSL to GSM Service where in GSM I have an IP 10.x.y.z. It seems, that spamassassin is confused because I have a NS master private.tamay-dogan.net and a forwarder and now traffic is not ending ina publich dynamic IP but another private one Now I'm confused. AFAIK SA doesn't have any connection with AS112 lookups as either client or server - unless there's a plugin that hasn't been mentioned on this list since I joined. If I'm wrong about this I expect somebody will speak up and correct me If SA is involved I'd expect that means that your 'trusted_networks' list is missing an entry. Should 10.165.11.117 be included in the 'trusted_networks' list? Can you look at logs and/or run Wireshark to verify that (a) your system is generating AS112 messages and, if it is generating them, (b) see where they are coming from? If this traffic is due to SA doing UBL lookups, Wireshark should soon show that's the case. UMTS: Verbunden Netzbetreiber: o2 - de Signal: UMTS (Gut) WAN IP: 10.165.11.117 Subnetzmaske: 255.255.255.255 Gateway:10.165.11.117 Primärer DNS: 192.168.0.74 Sekundärer DNS: 217.47.247.21 Note 1: It was someone who told me ist is as112 flooding Does this mean that there may not be an AS112 server anywhere in your intranet? But if I change the two DNS to 0.0.0.0 I will get the one of my provider which are crap... I didn't mean that drastic a change! I meant just to make sure that all IPs that you consider part of your intranet are in zone files on your internal DNS (192.168.0.74) and to add any that are missing. I do exactly that because I find it easier to maintain one zone file on a local DNS than to fiddle with dynamic addressing or to maintain /etc/hosts files for the various boxes on my fairly small network, not to mention boxes that don't have accessible host files, e.g. my SB Touch. However, as changing SA's trusted_networks list is easier to do, I'd try that first. Martin
How to prevent SA to make as112 calls?
Hi *, since I use a Vodafone Easybox 803A I have encountered, that SA is making of several 1000 as112¹ calls per day... My Intranet use 192.168.0.* and *.private.tamay-dogan.net and work correctly, since ages but can someone give me tips how to stop SA to check for private IP's? ¹ http://public.as112.net/ Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsystems@tdnet France EURL itsystems@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature