Re: Askdns problem ?

Carlos G Mendioroz via users Sun, 18 Sep 2022 04:06:18 -0700

Carlos G Mendioroz via users @ 17/9/2022 15:32 -0300 dixit:

Paul Stead @ 17/9/2022 15:04 -0300 dixit:
I was able to replicate this using an Unbound setup to not respond toUDP messages larger that 1500.
In the first instance I'd suggest checking your DNS server setup thatit's able to respond to UDP packets larger than ~1552 - 4096 isdefault on Unbound -
server:
         max-udp-size: 4096
I can confirm that AskDNS (and other DNS requests going viaasync->bgsend_and_start_lookup and resolver) don't fallback to TCP ifthe truncated bit is set - this is hardcoded in the DnsResolver.pmmodule. I have had some success in writing a patch for this which I'llsubmit to BZ after some cleanup.
Paul
Thanks.
I have been digging (pun intended :) and I see that askdns does fallback to TCP, but does not try to resolve the redirected SPF domain, Idon't know if that's because of the number of TXT RRs involved or what.
I've seen a bug(https://www.mail-archive.com/search?l=d...@spamassassin.apache.org&q=subject:%22%5C%5BBug+7777%5C%5D+askdns+problem+with+multi%5C-valued+resource+records%22&o=newest)related to not using multiple RRs values, but that seems not present on3.4.6.
-Carlos

Hmm, I was wrong, or confused. What I saw was my DNS server activity,not askdns activity. (i.e. TCP switching because of tuncated answer fromupstream). So after realizing this I upped server UDP size and it works.


Thanks again.
-Carlos

On Fri, 16 Sept 2022 at 22:05, Carlos G Mendioroz via users<users@spamassassin.apache.org <mailto:users@spamassassin.apache.org>>wrote:
    Hi,
    I'm facing a problem with SA, that seems to be related to askdns.

    Mail server on Ubuntu 22.04 LTS, spamassassin 3.4.6 via exim4. Local
    bind9 DNS server.

    Mail received from webex.com <http://webex.com> does not get SPF
    checked, which in turn
    triggers a local rule:
    meta DMARK_REJECT !(DKIM_VALID_AU || SPF_PASS || NO_RELAYS)

    Webex does not use DKIM, but it has a kind of complex SPF setup, that
    may be ok (not 100% sure, but they are cisco after all ?)

    After enabling debug I can see that the TXT query returns 0 RRs:

    Sep 16 11:45:39 doors spamd[462278]: askdns: answer received, rcode
NOERROR, query IN/TXT/webex.com <http://webex.com>, answer has 0records
    while dig has a different idea:

    dig -t TXT webex.com <http://webex.com>
    ;; Truncated, retrying in TCP mode.

    ; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> -t TXT webex.com
    <http://webex.com>
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56230
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 26, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1232
    ; COOKIE: b7c24959678df920010000006324d83008d33f7982f281d1 (good)
    ;; QUESTION SECTION:
    ;webex.com <http://webex.com>.                     IN      TXT

    ;; ANSWER SECTION:
    webex.com <http://webex.com>.              300     IN      TXT
"google-site-verification=qXk-s_bdPaqiuaDN9jJCQjvNyw_hVkxXDhkm-1mZn14" webex.com <http://webex.com>. 300 IN TXT "slimtesttxt20170824002"
    webex.com <http://webex.com>.              300     IN      TXT
    "QuoVadis=c1bf1f71-e21f-4ef5-92d9-3285c488767a"
    webex.com <http://webex.com>.              300     IN      TXT
    "google-site-verification=BEWshakJYRMouwSQKX3vk5144-qUL1wwUWLU-XtfQ"
webex.com <http://webex.com>. 300 IN TXT "slimtesttxt20170824001" webex.com <http://webex.com>. 300 IN TXT "MS=ms74589643"
    webex.com <http://webex.com>.              300     IN      TXT
"google-site-verification=BEWshakJYRMouwSQKX_3vk5_144-qUL1wwUWLU-XtfQ"
    webex.com <http://webex.com>.              300     IN      TXT
    "identrust_validate=5g4Ebjbv8fCTROWcobqHmDRBtTU+zBMHM1AiuGdcCbtd"
webex.com <http://webex.com>. 300 IN TXT "MS=ms61160488"
    webex.com <http://webex.com>.              300     IN      TXT
    "QuoVadis=5a740d9e-6664-4d4c-8d87-716da9d530a7"
webex.com <http://webex.com>. 300 IN TXT "MS=ms67549965"
    webex.com <http://webex.com>.              300     IN      TXT
    "identrust_validate=08N0ASND+yUGXL08IVK8mdMWNhvz1ZqiXe6WCC5eI2e/"
webex.com <http://webex.com>. 300 IN TXT "v=spf1
    redirect=_spf.webex.com <http://spf.webex.com>"
webex.com <http://webex.com>. 300 IN TXT "lqucp0f6u7alqi7kgrjo5vsov5"
    webex.com <http://webex.com>.              300     IN      TXT
    "QuoVadis=eed4c791-aa21-4b45-8c91-2d83a93af871"
webex.com <http://webex.com>. 300 IN TXT "lrg2pr6u4ubansuv47jtmmfd3p"
    webex.com <http://webex.com>.              300     IN      TXT     "
    ms93683787.msv1.invalid"
    webex.com <http://webex.com>.              300     IN      TXT
    "amazonses:n3XkGYyvmC8SrhX+CqICjY4eWnyKFwPo6mdHTMsmeu4="
webex.com <http://webex.com>. 300 IN TXT "9cef3rr776cnjs1cu53q6hrium"
    webex.com <http://webex.com>.              300     IN      TXT
"google-site-verification=3NhfQ1u_2ogGy3CA8qlIfFtMlW_nhx-VO85vAhT15a0"
    webex.com <http://webex.com>.              300     IN      TXT
    "identrust_validate=bCd4oCoacz6pZ8C8/IRU0rItc1avij7uuIRBeMwUxa8T"
    webex.com <http://webex.com>.              300     IN      TXT
"google-site-verification=t2i1Swk8XPQDj6Llz_4Uxu3OKL3wfO_aaxYylFmQ8MU" webex.com <http://webex.com>. 300 IN TXT "MS=ms93683787"
    webex.com <http://webex.com>.              300     IN      TXT
"google-site-verification=Z4Iwv_W8wkGKrlaPKLdcm3C_LDCydAJD6z3L1MAP7DI"
    webex.com <http://webex.com>.              300     IN      TXT
"google-site-verification=fHXTAHXgtW5_Dzt4PHZKGF2PAI0r6PEHqmHJbkxo4_k"
    webex.com <http://webex.com>.              300     IN      TXT
"google-site-verification=D1PXZV2EBUXGvgJdUWr3cahNprUgckDpzo8MgniDQHk"
    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1) (TCP)
    ;; WHEN: Fri Sep 16 17:10:24 -03 2022
    ;; MSG SIZE  rcvd: 1552
which leads me to believe askdns might not support tcp forresolving ?
    In any case, help ?
    TIA
-- Carlos G Mendioroz <t...@huapi.ba.ar<mailto:t...@huapi.ba.ar>> LW7 EQI Argentina


--
Carlos G Mendioroz  <t...@huapi.ba.ar>  LW7 EQI  Argentina

Re: Askdns problem ?

Reply via email to