False positive on SpamHaus
-
@joseph , I'm sorry, that might be awkward, but I would like to figure out what is wrong with Cloudron, that I'm the only one person that is getting this error.
You mentioned that Cloudron relies on DNS server resolving - may I kindly ask you to let me know how exactly that works? What is getting called?
I would rather fix my system as opposed to hack even more to get troubles on the next update...
-
@joseph , I'm sorry, that might be awkward, but I would like to figure out what is wrong with Cloudron, that I'm the only one person that is getting this error.
You mentioned that Cloudron relies on DNS server resolving - may I kindly ask you to let me know how exactly that works? What is getting called?
I would rather fix my system as opposed to hack even more to get troubles on the next update...
@potemkin_ai just a quick write up explaining the whole thing.
DNSBL is a way to figure if an IP is a spammer or not. The DNSBL "protocol" is to do a DNS A record query for
<reverse-ip-address>.zen.spamhaus.org. This is done usinghost -t A <reverse-ip-address>.zen.spamhaus.org.Some DNSBL services such as zen spamhaus block resolution of DNS via open resolvers. If your server or network indirectly uses Google/Cloudflare DNS etc, then the above resolution will not work since the spamhaus service rejects the DNS requests (it's their policy).
On Cloudron, we use
unbound- a DNS resolver. It's whole purpose is to do the DNS lookup on it's own and not use external Google/Cloudflare etc. This runs on 127.0.0.150 (systemctl status unbound). On Cloudron, the equivalent is :host -t A <reverse-ip-address>.zen.spamhaus.org 127.0.0.150(i.e look up via unbound) . If you remove the 127.0.0.150 it will use your server's default DNS settings (most likely systemd-resolved).If the above via unbound is not working on yours (as shown in your output), I can only think of three reasons:
- your server's IP is blacklisted
- you have configured unbound to forward requests to an open resolver
- your server/network uses some open resolver indirectly/without your knowledge
I don't have a step-by-step guide to debug this (tbh, I don't know how to figure if a server/network uses an open resolver indirectly), but I think it might be easiest to reach out to SpamHaus to ask them if your server IP is blocked for a start. And if you have not added any explicit unbound config, you can then ask your VPS provider next.
-
@potemkin_ai just a quick write up explaining the whole thing.
DNSBL is a way to figure if an IP is a spammer or not. The DNSBL "protocol" is to do a DNS A record query for
<reverse-ip-address>.zen.spamhaus.org. This is done usinghost -t A <reverse-ip-address>.zen.spamhaus.org.Some DNSBL services such as zen spamhaus block resolution of DNS via open resolvers. If your server or network indirectly uses Google/Cloudflare DNS etc, then the above resolution will not work since the spamhaus service rejects the DNS requests (it's their policy).
On Cloudron, we use
unbound- a DNS resolver. It's whole purpose is to do the DNS lookup on it's own and not use external Google/Cloudflare etc. This runs on 127.0.0.150 (systemctl status unbound). On Cloudron, the equivalent is :host -t A <reverse-ip-address>.zen.spamhaus.org 127.0.0.150(i.e look up via unbound) . If you remove the 127.0.0.150 it will use your server's default DNS settings (most likely systemd-resolved).If the above via unbound is not working on yours (as shown in your output), I can only think of three reasons:
- your server's IP is blacklisted
- you have configured unbound to forward requests to an open resolver
- your server/network uses some open resolver indirectly/without your knowledge
I don't have a step-by-step guide to debug this (tbh, I don't know how to figure if a server/network uses an open resolver indirectly), but I think it might be easiest to reach out to SpamHaus to ask them if your server IP is blocked for a start. And if you have not added any explicit unbound config, you can then ask your VPS provider next.
@girish thank you!
My DNS servers setup to Hetzner's ones, as per
resolvctl.I believe I messed up with DNS unintentionally. unbound is up and running - how do I make sure the system use it?
Or, to rephrase, how do you setup the system to use unbound initially?
-
@potemkin_ai just a quick write up explaining the whole thing.
DNSBL is a way to figure if an IP is a spammer or not. The DNSBL "protocol" is to do a DNS A record query for
<reverse-ip-address>.zen.spamhaus.org. This is done usinghost -t A <reverse-ip-address>.zen.spamhaus.org.Some DNSBL services such as zen spamhaus block resolution of DNS via open resolvers. If your server or network indirectly uses Google/Cloudflare DNS etc, then the above resolution will not work since the spamhaus service rejects the DNS requests (it's their policy).
On Cloudron, we use
unbound- a DNS resolver. It's whole purpose is to do the DNS lookup on it's own and not use external Google/Cloudflare etc. This runs on 127.0.0.150 (systemctl status unbound). On Cloudron, the equivalent is :host -t A <reverse-ip-address>.zen.spamhaus.org 127.0.0.150(i.e look up via unbound) . If you remove the 127.0.0.150 it will use your server's default DNS settings (most likely systemd-resolved).If the above via unbound is not working on yours (as shown in your output), I can only think of three reasons:
- your server's IP is blacklisted
- you have configured unbound to forward requests to an open resolver
- your server/network uses some open resolver indirectly/without your knowledge
I don't have a step-by-step guide to debug this (tbh, I don't know how to figure if a server/network uses an open resolver indirectly), but I think it might be easiest to reach out to SpamHaus to ask them if your server IP is blocked for a start. And if you have not added any explicit unbound config, you can then ask your VPS provider next.
@girish I am the second person having this problem my isp is Verizon fios with static ip and they provided specific dns instructions and i doubled checked my cloud xg gateway from unify it shouldn't use dnsec but still spamhouse is block this is i am getting false positive
i restart netplan after applying dns directly in netplan provided by netplan and it came negative but after few seconds it went back again to positive please see the next picture below
-
@potemkin_ai @DualOSWinWiz one caveat I rediscovered recently (sorry, I forgot this entirely) is this file : https://git.cloudron.io/platform/box/-/blob/master/setup/start/unbound/prefer-ip4.conf?ref_type=heads
We do spamhaus queries via unbound. If your server has IPv6, then older version of unbound might use IPv6 and SpamHaus often fails those queries. From ubuntu 24, there is a flag to tell unbound to prefer ipv4 instead of the ipv6 . Does this situation apply to either of you ? i.e do you have ubuntu < 24 and ipv6 ? if so, this might be the issue
-
@potemkin_ai @DualOSWinWiz one caveat I rediscovered recently (sorry, I forgot this entirely) is this file : https://git.cloudron.io/platform/box/-/blob/master/setup/start/unbound/prefer-ip4.conf?ref_type=heads
We do spamhaus queries via unbound. If your server has IPv6, then older version of unbound might use IPv6 and SpamHaus often fails those queries. From ubuntu 24, there is a flag to tell unbound to prefer ipv4 instead of the ipv6 . Does this situation apply to either of you ? i.e do you have ubuntu < 24 and ipv6 ? if so, this might be the issue
@girish ipv6 has been disabled wherever possible, but it seems like it can't be switched off completely, even with
sysctlcalls.But, yeah - I'm running 22.04 and the config file is not there.
Shall I create one at
/etc/unbound/unbound.conf.d/? Willsystemctl restart unboundbe sufficient afterwards? -
@girish ipv6 has been disabled wherever possible, but it seems like it can't be switched off completely, even with
sysctlcalls.But, yeah - I'm running 22.04 and the config file is not there.
Shall I create one at
/etc/unbound/unbound.conf.d/? Willsystemctl restart unboundbe sufficient afterwards? -
@potemkin_ai you have to upgrade ubuntu for that option to work. the old unbound doesn't start with that option .
@girish afraid can't do that at the moment...
I can see that I have unbound 1.13.1 on my Ubuntu.
From the issue discussion at the year 2021 I can see they are discussing that option with unbound 1.13; and unbound 1.13.1 has been released at 9 Feb 2021 - which all leads me to believe that this option could be recognized... Unless I'm missing something?
-
@potemkin_ai @DualOSWinWiz one caveat I rediscovered recently (sorry, I forgot this entirely) is this file : https://git.cloudron.io/platform/box/-/blob/master/setup/start/unbound/prefer-ip4.conf?ref_type=heads
We do spamhaus queries via unbound. If your server has IPv6, then older version of unbound might use IPv6 and SpamHaus often fails those queries. From ubuntu 24, there is a flag to tell unbound to prefer ipv4 instead of the ipv6 . Does this situation apply to either of you ? i.e do you have ubuntu < 24 and ipv6 ? if so, this might be the issue
@girish i have 24.04 and ipv6 is disabled
-
@potemkin_ai @DualOSWinWiz one caveat I rediscovered recently (sorry, I forgot this entirely) is this file : https://git.cloudron.io/platform/box/-/blob/master/setup/start/unbound/prefer-ip4.conf?ref_type=heads
We do spamhaus queries via unbound. If your server has IPv6, then older version of unbound might use IPv6 and SpamHaus often fails those queries. From ubuntu 24, there is a flag to tell unbound to prefer ipv4 instead of the ipv6 . Does this situation apply to either of you ? i.e do you have ubuntu < 24 and ipv6 ? if so, this might be the issue
@girish already
-
@girish finally i figured out the problem it was Unifiy Gateway (it was Using content filtering in order to moderate the traffic and using dns once i turned off that for all turned green and so far since last 3 hours its green.
@DualOSWinWiz would you mind elaborating how it affected you?
-
so their is a separate feature in Unify gateway to filter content with options None, Work and Family i selected work. the problem was if you select either of Family or Work firewall was migrating traffic to be on open resolver regardless of Network settings. i turned off that feature and it worked out.
-
@DualOSWinWiz , thank you!
@girish , do you have some considerations, based on the information I've provided earlier? -
J jdaviescoates referenced this topic
-
@jdaviescoates said in URGENT:
In a post on an originally unrelated thread about IPv6 issues @Gengar posted this link https://www.spamhaus.com/resource-center/successfully-accessing-spamhauss-free-block-lists-using-a-public-dns/ which I think explains what's going on with all these false positive spamhaus issues people are having:
The TL;DR seems to be: fill in this form https://www.spamhaus.com/free-trial/sign-up-for-a-free-data-query-service-account/
-
@jdaviescoates said in URGENT:
In a post on an originally unrelated thread about IPv6 issues @Gengar posted this link https://www.spamhaus.com/resource-center/successfully-accessing-spamhauss-free-block-lists-using-a-public-dns/ which I think explains what's going on with all these false positive spamhaus issues people are having:
The TL;DR seems to be: fill in this form https://www.spamhaus.com/free-trial/sign-up-for-a-free-data-query-service-account/
@jdaviescoates thank you! I will keep that as a final resort!
@girish , I would much appreciate any additional information to work-out those false positive alerts as they shall be handled - as I highlighted earlier, Ubuntu update doesn't seem to be relevant...
-
P potemkin_ai referenced this topic
-
J joseph has marked this topic as solved
-
Those are two different issues actually.
-
J joseph has marked this topic as unsolved
