Unbound and senderbase.org requests

Unbound
1

Hi all,

Long story short - we have Cisco Ironport email security appliance. This device filter emails by reputation filtering. To do this, the device send dns TXT request to senderbase.org, and based on answer make decisions about filtering mails.

But that is not working through Unbound .

This is request and answer using Google free DNS :

dig @8.8.8.8 txt 1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.senderbase.org

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @8.8.8.8 txt 1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.senderbase.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3460
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.senderbase.org. IN TXT

;; ANSWER SECTION:
1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.senderbase.org. 999 IN TXT "|0=2.5|1=0.0|2=0.4399|3=0.5|7=AvNDhLIaN|10=0,0|"

;; Query time: 195 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jul 18 08:29:16 EEST 2016
;; MSG SIZE rcvd: 170

As we can see, the request has a ANSWER SECTION, and Cisco Ironport use this numbers for blocking e-mails (domains).

This is request and answer using Unbound

dig @UnboundIP txt 1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.senderbase.org

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @UnboundIP txt 1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.senderbase.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5044
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1480
;; QUESTION SECTION:
;1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.senderbase.org. IN TXT

;; Query time: 235 msec
;; SERVER: UnboundIP#53(UnboundIP)
;; WHEN: Mon Jul 18 09:53:42 EEST 2016
;; MSG SIZE rcvd: 110

Unbound return ANSWER NXDOMAIN. Can someone help me with this ? Thanks.

2

Hi Dimitar,

The query work for me, both with and without qname minimisation.

The name v1x2s.rf-adfe2ko9.senderbase.org. returns NXDOMAIN and this
is an error. But qname minimisation works around it (by assuming
non-DNSSEC servers cannot get NXDOMAIN right).

But with use-caps-for-id: yes I get NXDOMAIN as well. The server
cannot handle the fact that DNS does not distinguish between uppercase
and lowercase and treats those names differently. You could try to
get them to fix the software (and also for the NXDOMAIN problem noted
above). Or you can caps-whitelist: "senderbase.org" in unbound.conf
that will omit the dns-0x20 upper-lowercase changes to that domain name.

Best regards, Wouter

Hi all,

Long story short - we have Cisco Ironport email security appliance.
This device filter emails by reputation filtering. To do this, the
device send dns TXT request to senderbase.org, and based on answer
make decisions about filtering mails.

But that is not working through Unbound .

This is request and answer using Google free DNS :

dig @8.8.8.8 txt
1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.sen

derbase.org

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @8.8.8.8 txt
1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.sen

derbase.org

; (1 server found) ;; global options: +cmd ;; Got answer: ;;
->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3460 ;; flags: qr
rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;;
QUESTION SECTION:
;1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.se

nderbase.org.

IN TXT

;; ANSWER SECTION:
1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.sen

derbase.org.

999 IN TXT "|0=2.5|1=0.0|2=0.4399|3=0.5|7=AvNDhLIaN|10=0,0|"

;; Query time: 195 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon
Jul 18 08:29:16 EEST 2016 ;; MSG SIZE rcvd: 170

As we can see, the request has a ANSWER SECTION, and Cisco Ironport
use this numbers for blocking e-mails (domains).

This is request and answer using Unbound

dig @UnboundIP txt
1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.sen

derbase.org

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @UnboundIP txt
1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.sen

derbase.org

; (1 server found) ;; global options: +cmd ;; Got answer: ;;
->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5044 ;; flags: qr
rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1480 ;;
QUESTION SECTION:
;1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.se

nderbase.org.

IN TXT

3

Hi Wouter,

Disabling use-caps-for-id solve the issue. Thank You very much for helping!