Articles in this section

Plesk Email Security extension warning: DNS caching is disabled! Please use a local DNS server to improve SPAM recognition via blocklists (for instance systemd-resolved)

Daniel Yordanov
Updated
Plesk for Linux kb: technical ext: pes

Applicable to:

  • Plesk for Linux

Symptoms

  • The Plesk Email Security extension shows the warning below after some time of a correct work:

    PLESK_WARN: DNS caching is disabled! Please use a local DNS server to improve SPAM recognition via blocklists (for instance systemd-resolved).

  • The following records might be found in /var/log/plesk/panel.log with enabled debug logging:

    CONFIG_TEXT: DEBUG [extension/email-security] [5e3e3f7a584fa] Starting: '/opt/psa/admin/bin/filemng' 'root' 'exec' '/' 'bash' '-c' 'host -tTXT 2.0.0.127.multi.uribl.com' '--allow-root', stdin:
    DEBUG [extension/email-security] [5e3e3f7a584fa] Finished in 0.11335s, Error code: 0, stdout: 2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 230.0.113.2]" \

  • The manual check returns the same message:

    # host -tTXT 2.0.0.127.multi.uribl.com
    2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 230.0.113.2]"

Cause

The warning in the Plesk Email Security extension appears, because URIBL are blocking the query check requests that you are making to their reputation list database.

This happens for one of the following reasons:

  • You are using public DNS resolvers (such as those by Google and Cloudflare) on the server and Local DNS server (for caching) is not configured. Due to this, you are using public DNS resolvers to send less than 1000 email-related check queries towards URIBL per day, which is not allowed by them.

    Note: Less than 1000 queries is a number based on experience, because only a "low volume" of queries is allowed with the URIBL free service, but URIBL themselves have not specified anywhere on their website what a "low volume" actually is according to them

  • If local DNS server (for caching) is already configured on the server and you keep seeing such errors, then your local DNS server is deemed a "high volume" user of URIBL services and that is also not allowed by them on their free tier.

    Note: Again, based on experience only, if you send a few thousand queries per day, they deem you a "high volume" user and demand that you switch to their paid services in order to continue sending queries from your server to their reputation list.

Resolution

The solution depends on your current server configuration, the following options are available:

Public DNS resolvers, Local DNS server (for caching) not configured on the server and low volume of queries towards URIBL.

Configure a local DNS server to decrease the load on public DNS servers and be allowed to send queries to URIBL again.

Warning: Configuration of the local DNS server to cache requests is a task that has to be carried out by the server's own system administrator.

For example, systemd-resolved can be configured as described here: https://geekflare.com/linux-server-local-dns-caching/

Example steps for BIND DNS server shipped with Plesk:

  1. Install the BIND DNS server component if it's not yet:

    Log into Plesk > Tools & Settings > Updates > Add and Remove Product Components > BIND DNS server > Install

  2. Connect to the server via SSH.

  3. Run a check against the test point:

    # host -tTXT 2.0.0.127.multi.uribl.com

    Usually, if caching is not enabled the response is:

    CONFIG_TEXT: 2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 203.0.113.2]"

  4. Run named-checkconf to check for syntax error in the configuration files:

    # named-checkconf

  5. Add the local nameserver to the /etc/resolv.conf file:

    # vi /etc/resolv.conf

    add to the top of the file:

    CONFIG_TEXT: nameserver 127.0.0.1

  6. Restart BIND service (named-chroot for CentOS, bind9 for Ubuntu/Debian):

    # service named-chroot restart || service bind9 restart

  7. Check that the service is running:

    # service named-chroot status || service bind9 status

  8. Wait a few minutes and then run the check against the endpoint again:

    # host -tTXT 2.0.0.127.multi.uribl.com

    This time the response should be:

    CONFIG_TEXT: 2.0.0.127.multi.uribl.com descriptive text "permanent testpoint"

    If the error persists, stop and disable systemd-resolved service and replace 127.0.0.53 with 127.0.0.1 in /etc/resolv.conf

Local DNS server (for caching) is configured on the server and high volume of queries towards URIBL.

Sign up for a paid service tier directly on https://uribl.com in order to be allowed to make a "high volume" of queries from your server

Alternatively, disable the usage of the URIBL reputation list by following these steps:

  1. Log into Plesk
  2. Go to Extensions > My extensions> Plesk Email Security > Server Settings tab
  3. In Advanced > DNSBL, switch off the URIBL block list by moving its slider to the left

 

Was this article helpful?

Comments

4 comments
Date Votes
  • Avatar
    Stephen Bakerman

    doesn't work, changes keep being reset to defaults

    0
  • Avatar
    Niklaus Wirz

    The change within /etc/resolv.conf works only until the next server restart

    0
  • Avatar
    Unknown User

    @Vincent Lauton

    there is a small mistake in point.7: service named-chroot status || service bind9 restart, please correct

    0
  • Avatar
    Graham Jones

    None of this actually works. There is conflicting advice on various forums. My server is set to 127.0.0.1 as required in the BIND DNS tutorial, but the error message constantly appears. 

    0

Please sign in to leave a comment.