<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><br class="">
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">On 28 Dec 2019, at 18:13, Gerben Wierda via unbound-users <<a href="mailto:unbound-users@lists.nlnetlabs.nl" class="">unbound-users@lists.nlnetlabs.nl</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">I am using unbound and rspamd.<div class=""><br class=""></div><div class="">Unbound is configured as follows (snippet)</div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">forward-zone: </span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> name: "."</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> # Quad9 phising/malware site blocking DNS 9.9.9.9</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> forward-addr: 9.9.9.9</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> # Quad9 2nd DNS</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> forward-addr: 149.112.112.112</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> # Fallback if Quad9 is out: Google:</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> # forward-addr: 8.8.4.4</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><br class=""></div><div class="">It seems that rspamd doesn’t like that, because the DNS masters for <a href="http://multi.uribl.com/" class="">multi.uribl.com</a> and <a href="http://dnl.dnswl.org/" class="">dnl.dnswl.org</a> apparently do not like getting a DNS query forwarded from public DNS servers. Which produces errors like:</div><div class=""><br class=""></div><div class=""><div style="font-family: Menlo; font-size: 11px; margin: 0px; font-stretch: normal; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures;" class="">2019-12-28 17:47:20 #16267(controller) <gp88ff>; monitored; rspamd_monitored_dns_cb: DNS query blocked on <a href="http://multi.uribl.com/" class="">multi.uribl.com</a> (127.0.0.1 returned), possibly due to high volume</span></div><div style="font-family: Menlo; font-size: 11px; margin: 0px; font-stretch: normal; line-height: normal;" class=""><span style="font-variant-ligatures: no-common-ligatures;" class="">2019-12-28 17:47:20 #16267(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for <a href="http://dwl.dnswl.org/" class="">dwl.dnswl.org</a> while 'no records with this name' was expected when querying for '<a href="http://tte6_6bjcreyadp1do_tgob69-n7r.dwl.dnswl.org/" class="">TTE6_6BJCREYADp1do_TGob69-N7R.dwl.dnswl.org</a>'(likely DNS spoofing or BL internal issues)</span></div></div><div class=""><span style="font-variant-ligatures: no-common-ligatures;" class=""><br class=""></span></div><div class="">which breaks rspamd I think</div><div class=""><br class=""></div><div class="">So, I think (not sure) that I am supposed not to use a forwarder to a public DNS provider with rspamd. But that would mean I lose the advantage of Quad9. Hence, I was thinking that I m,ight need to tell unbound an exception for these domains, sidestepping the forwarding. Is that possible? (Does it solve my issue? I don’t know but I’d like to try).</div></div></div></div></blockquote><div><br class=""></div><div>Adding to this: Assuming I understand the man page for unbound.conf, this is not possible. Given that I cannot define a forward per ’server’ (and only one server per unbound.conf), I need to have two unbound.conf files and two unbound servers. So I will have to set up two unbound resolvers, one listening on port 53 that does forwarding to the public DNS servers and one listening on port 5353 that doesn’t forward but does everything itself, each with his own unbound.conf file.</div><div><br class=""></div><div>Too bad I cannot define multiple servers in a single unbound.conf, each with its own forwards (stubs etc.). That would make life simpler.</div><div><br class=""></div><div><div>Gerben Wierda</div><div class=""><a href="http://enterprisechess.com/" class="">Chess and the Art of Enterprise Architecture</a></div><div class=""><a href="http://masteringarchimate.com/" class="">Mastering ArchiMate</a></div><div class=""><a href="https://www.infoworld.com/blog/architecture-for-real-enterprises/" class="">Architecture for Real Enterprises</a> at InfoWorld</div><div class=""><a href="https://eapj.org/on-slippery-ice/" class="">On Slippery Ice</a> at EAPJ</div></div></div><br class=""></body></html>