Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Message

Re: [milter-greylist] Submitter DNS name resolution and forgery detection

2013-08-05 by Johann Klasek

On Mon, Aug 05, 2013 at 11:55:46AM +0200, Jim Klimov wrote:
> Interesting off-topic came up today... I wonder if name resolution
> (via res_nquery()) can fall-back to file-based nsswitch as well, or
> if it just resolves its host's own name, at least on Solaris?

res_* does not use the nss_* framework (it's true for the way back).
nss_* provides hostname resolution for gethostbyname/addr.


> 
> Today there is a problem with LAN DNS (not available), and the internet
> DNS apparently does and should not know names for private IP addresses.
> Still, I see the host's own names resolved (yes, not calling greylist
> for $self at all - is on the menu):
> 
> Aug  5 13:41:59 ucs milter-greylist: [ID 471652 mail.debug] Incoming 
> connection from host '[10.0.16.60]'
> Aug  5 13:41:59 ucs milter-greylist: [ID 308029 mail.debug] Got an 
> unresolved host name [10.0.16.60], will try to resolve
> Aug  5 13:41:59 ucs milter-greylist: [ID 682236 mail.debug] Requesting 
> PTR entry for 60.16.0.10.in-addr.arpa.
> Aug  5 13:41:59 ucs milter-greylist: [ID 646443 mail.debug] Got name 
> 'ucs.domain.com' (1)
> Aug  5 13:41:59 ucs milter-greylist: [ID 779078 mail.debug] User 
> jimklimov@... authenticated, bypassing greylisting
> Aug  5 13:41:59 ucs milter-greylist: [ID 703198 mail.debug] 
> 0MR100I02XLZW500: addr = ucs.domain.com[10.0.16.60], from = 
> <jimklimov@...>, rcpt = <jim@...>
> 
> 
> # nslookup 60.16.0.10.in-addr.arpa. 8.8.8.8
> Server:         8.8.8.8
> Address:        8.8.8.8#53
> 
> ** server can't find 60.16.0.10.in-addr.arpa.: NXDOMAIN

Not a PTR query?

> 
> 
> # nslookup 10.0.16.60 8.8.8.8
> Server:         8.8.8.8
> Address:        8.8.8.8#53
> 
> Non-authoritative answer:
> 60.16.0.10.in-addr.arpa name = ucs.domain.com.
> 
> Authoritative answers can be found from:
> 
> # nslookup -q=ptr 60.16.0.10.in-addr.arpa. 8.8.8.8
> Server:         8.8.8.8
> Address:        8.8.8.8#53
> 
> Non-authoritative answer:
> 60.16.0.10.in-addr.arpa name = ucs.domain.com.
> 
> Authoritative answers can be found from:
> 
> 
> I am pretty sure that the name-serivce clients were restarted recently
> and the name should not be cached from previous DNS replies... Still,
> interesting :)

Use a tracing tool make a look behind the scenes ...

truss -f nslookup 10.0.16.60 8.8.8.8

> 
> Other names, including local zones on same machine also with entries
> in the /etc/hosts file, are not resolved this way...
> 
> 
> # nslookup -q=ptr 61.16.0.10.in-addr.arpa. 8.8.8.8
> Server:         8.8.8.8
> Address:        8.8.8.8#53
> 
> ** server can't find 61.16.0.10.in-addr.arpa.: NXDOMAIN
> 
> 
> So... here's a random bit of experience to contemplate ;)

I'am not aware of any newer frameworks in Solaris which may hook
in resolver calls. Maybe a Bind extension or functionality?

Johann

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.