Root Cause Analysis (in order):
1) DNSWL does not provide blocked codes. That deviates from
most DNS-query based systems.
On 24.09.24 20:43, Matthias Leisi wrote:
This is wrong.
On 26/09/24 01:20, Matus UHLAR - fantomas wrote:
I have checked with 1.1.1.1, where queries only return 127.0.10.3
It would help SA (and perhaps also DNSWL) if DNSWL would return
127.0.0.255 in addition to 127.0.10.3
- there is already rule to suspend
header RCVD_IN_DNSWL_BLOCKED
eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.255$')
dns_block_rule RCVD_IN_DNSWL_BLOCKED list.dnswl.org
On 26.09.24 18:11, Peter wrote:
I'm not very proficient at SA rules so I won't attempt to write one
for this, but perhaps this would help:
$ dig amiblocked.dnswl.org txt @1.1.1.1 +short
"You are blocked from using list.dnswl.org through public nameservers"
"yes"
$ dig amiblocked.dnswl.org txt @127.0.0.1 +short
"no"
It looks like the above test is definitive and works regardless of
what other codes might be returned.
% dig amiblocked.dnswl.org txt @1.1.1.1
amiblocked.dnswl.org. 300 IN TXT "no"
however this needs one more DNS lookup, which is the opposite of what we
need.
BTW today I get different results for open resolvers - 1.1.1.1 and 9.9.9.9
return 127.0.6.2, 8.8.8.8 returns nothing (was 127.0.10.3 a while ago).
many dnsbls supports BLOCKED reply, but only spamhaus supports different
reply for open resolvers - BLOCKED_OPENDNS (127.255.255.254).
SA reacts on BLOCKED by pausing for dns_block_time (default 300) seconds.
Of course, SA can't depend on spamhaus reply with other DNSBLs, mostly
because different blocking criteria.
...as I said, if dnswl returned BLOCKED in addition to HIGH it would help
SA at least a bit.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.
