RBL timing out {Scanned by WPPi.Net} {Scanned}

SW wppiphoto at wppi.com
Wed Dec 24 03:09:18 GMT 2003


Trever,

Thanks for the info.! Please see below for some answers to your questions:

> You didn't answer the question of whether your system is its own DNS
server

Yes, this system is one of our DNS servers which mailscanner/spamassassin
runs on.

> then you would have to explicitely add dns servers for every site that you
browse to

no, we don't have to add dns servers for every site we visit. Sites that our
DNS server can't reach due to our firewall blocking incoming packets from
that IP block just don't show up.

>  What "nameserver" lines do you have in your /etc/resolv.conf?

nameserver <IP Address of Local server which runs MS/SA>
nameserver <IP Address of secondary Local Server>

> your internal dns server only needs network access to the ISP dns servers

Our internal DNS server speak directly with the root DNS servers ( InterNIC)
who then point us to the DNS server responsible for a particular domain (ie
ordb.org). So, there is no ISP dns server between our dns server and the
Internet.

Imagine a network which sits behind a firewall which blocks an entire IP
block (ex 45.0.0.0) and a DNS server sits behind this firewall. Lets say
that a user behind this firewall wants to get to a domain mysite.com. The
DNS server behind the firewall goes out to the root DNS servers of InterNIC
to try to find out who is handeling name resolution for mysite.com domain.
When InterNIC root DNS server respond to the DNS server behind the firewall
that the domain mysite.com records are located at DNS server 45.0.0.1 , the
DNS server (which is behind the firewall) will never be able to get to the
mysite.com DNS server because the firewall has blocked all traffic coming-in
from the 45.0.0.0 IP block therefore failing to resolve it. This is what is
happening in our situation.

Basically, to get around this, we have to open up a particular IP number and
TCP or UDP port 53 to allow traffic to come in from mysite.com DNS server at
45.0.0.1 for the DNS server to work and then open up another IP address and
TCP port 80 for the domain mysite.com.

Hope this makes sense or not. :-)

Thanks,

SW

----- Original Message -----
From: "Furnish, Trever G" <TGFurnish at herff-jones.com>
To: "'SW'" <wppiphoto at wppi.com>; <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Tuesday, December 23, 2003 5:27 PM
Subject: RE: RBL timing out {Scanned by WPPi.Net}


If that were true and a complete picture of your dns setup, then you would
have to explicitely add dns servers for every site that you browse to -
therefore I suspect you're confused about your own setup.  Anything's
possible of course...

I'm betting that you currently allow your dns servers to either:
1) connect to any other server for dns queries
or
2) connect to a couple of ISP dns servers that do recursive queries
for you.

You didn't answer the question of whether your system is its own DNS server
(ie /etc/resolv.conf contains only one nameserver entry and that entry lists
the system's own ip address), but what it comes down to is that you just
need to be able to do dns lookups from this system and whatever DNS server
you query must in turn be able to query the RBL zones that you want to use.
Once that's working, you'll be good to go.

Typical set-up for most firewalled companies would be:

Mailscanner
|
|
V
Internal DNS server
|
|
V
-------- Firewall / Access Lists ----------
|
|
V
ISP DNS servers
|
|
V
RBL DNS servers

In that set-up, your internal dns server only needs network access to the
ISP dns servers, which handle the query against the RBL name servers on your
behalf.

What "nameserver" lines do you have in your /etc/resolv.conf?  Localhost,
internal dns servers, or isp dns servers?

--
Trever


> -----Original Message-----
> From: SW [mailto:wppiphoto at wppi.com]
> Sent: Tuesday, December 23, 2003 4:46 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: RBL timing out {Scanned by WPPi.Net}
>
>
> Matt,
>
> Our firewall blocks entire IP blocks with no traffic
> coming-in or going-out.
> DNS is premitted to go out but only to those IP blocks which are not
> blocked. The only way I see I can get RBL to work is by
> inputting an IP
> address/range for the ORDB-RBL servers that mailscanner/spamassassin
> contact.
>
> Thanks,
>
> SW
> ----- Original Message -----
> From: "Matt Kettler" <mkettler at EVI-INC.COM>
> To: <MAILSCANNER at JISCMAIL.AC.UK>
> Sent: Tuesday, December 23, 2003 4:20 PM
> Subject: Re: RBL timing out {Scanned by WPPi.Net}
>
>
> At 04:08 PM 12/23/2003, SW wrote:
> >I'm trying to figure out what ip address and port(s) I need
> to open up on
> my
> >firewall to allow the use of ORDB-RBL w/ Mailscanner and
> spamassassin:
> >
> >MailScanner: RBL Check ORDB-RBL timed out and was killed, consecutive
> >failure 1 of 7
>
> It's a DNS query. You need to be able to do DNS resolution.
>
> If your MS/SA machine is it's own resolving server, then it
> needs to be
> able to query to arbitrary DNS servers.
>
> If your MS/SA machine uses another server for resolution it
> needs to be
> able to talk to that DNS server, and that DNS server needs to
> be able to
> talk to query DNS servers.
>
> You can tell what machine is being used as a resolver by looking at
> /etc/resolv.conf. A machine that's it's own resolver will
> have "localhost"
>
>
>
>
>
> WPPi.com & WPPi.Net MailScanner Signature
> This message has been scanned for viruses
> and dangerous content by MailScanner, and
> is believed to be clean.
> -----------------------------------------
>

WPPi.com & WPPi.Net MailScanner Signature
This message has been scanned for viruses
and dangerous content by MailScanner, and
is believed to be clean.
-----------------------------------------



WPPi.com & WPPi.Net MailScanner Signature
This message has been scanned for viruses
and dangerous content by MailScanner, and
is believed to be clean.
-----------------------------------------



More information about the MailScanner mailing list