Applicable to:
- Plesk Obsidian for Linux
Symptoms
-
Plesk Email Security shows the warning below after some time of a correct work:
PLESK_WARN: DNS caching is disabled! Please use a local DNS server to improve SPAM recognition via blocklists (for instance systemd-resolved).
-
The following records might be found in
/var/log/plesk/panel.log
with enabled debug logging:CONFIG_TEXT: DEBUG [extension/email-security] [5e3e3f7a584fa] Starting: '/opt/psa/admin/bin/filemng' 'root' 'exec' '/' 'bash' '-c' 'host -tTXT 2.0.0.127.multi.uribl.com' '--allow-root', stdin:
DEBUG [extension/email-security] [5e3e3f7a584fa] Finished in 0.11335s, Error code: 0, stdout: 2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 230.0.113.2]" \ -
The manual check returns the same message:
# host -tTXT 2.0.0.127.multi.uribl.com
2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 230.0.113.2]"
Cause
Local DNS server (for caching) is not configured on the server.
When a server has many incoming/outgoing emails that come through spam check by block lists, for example, URIBL it might abuse DNS public lookup provided by such services and get a block after certain amount of successful checks. After that, a corresponding warning appears in Plesk Email Security extension.
Resolution
Warning: Configuration of the local DNS server to cache requests is the tasks that has to be configured by a server administrator.
Configure local DNS server to decrease the load on public DNS servers and avoid blocks from URIBL side.
For example, systemd-resolved can be configured as described here: https://geekflare.com/linux-server-local-dns-caching/
-
Install the BIND DNS server component if it's not yet:
Log into Plesk > Tools & Settings > Updates > Add and Remove Product Components > BIND DNS server > Install
-
Connect to the server via SSH.
-
Run a check against the test point:
# host -tTXT 2.0.0.127.multi.uribl.com
Usually, if caching is not enabled the response is:
CONFIG_TEXT: 2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 203.0.113.2]"
-
Run
named-checkconf
to check for syntax error in the configuration files:# named-checkconf
-
Add the local nameserver to the
/etc/resolv.conf
file:# vi /etc/resolv.conf
add to the top of the file:
CONFIG_TEXT: nameserver 127.0.0.1
-
Restart BIND service (
named-chroot
for CentOS,bind9
is Ubuntu/Debian):# service named-chroot restart
-
Check that the service is running:
# service named-chroot status
-
Wait a few minutes and then run the check against the endpoint again:
# host -tTXT 2.0.0.127.multi.uribl.com
This time the response should be:
CONFIG_TEXT: 2.0.0.127.multi.uribl.com descriptive text "permanent testpoint"
Note: If URIBL is not needed it might be simply disabled:
- Log into Plesk
- Go to Extensions > My extensions> Plesk Email Security > Server Settings tab > Advanced > DNSBL
- Switch off the URIBL block list
Comments
5 comments
Hi,
Can this be updated for Plesk Obsidian, Ubuntu 18?
service named-chroot restart
Failed to restart named-chroot.service: Unit named-chroot.service not found.
service named-chroot status
Unit named-chroot.service could not be found.
Andrei L
Please check step 6:
Restart BIND service (
named-chroot
for CentOS,bind9
is Ubuntu/Debian):So for Ubuntu it should be # service bind9 restart
I don't think the instructions are entirely correct. Manual changes in the /etc/resolv.conf file are overwritten with each restart of the server or the systemd-resolve service.
I received the warning message "DNS caching is disabled!".
I correctly followed the instructions receiving at the end the message "permanent testpoint" and that appears to be configured well, in fact the previous warning message there have disappeared.
But the weird fact is that if I input again the command for the status info, all the lines at the end named[xxxxx] etc... appears to be with a connection error, also if I add the "nameserver 127.0.0.1" on top of the other IP I have in that file, or also in case I leave there only nameserver 127.0.0.1 for example (deleting the other IP I have there).
I tried all the combination, and in any case there will be a connection error in those lines named[xxxxx] at the end.
Only if I don't insert "nameserver 127.0.0.1" on the top of that file (leaving all in the previous way), all the connection named[xxxxx] using the command "service .. status" are confirmed.
So I leaved all in the previous way.
These instructions are odd to me. I'm on Ubuntu. these are the entries in /etc/resolvconf/resolv.conf.d/head
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
nameserver 8.8.8.8
nameserver 8.8.4.4
Do I need to add nameserver 127.0.0.1 there as well? I have read that the maximum number of nameservers in /etc/resolv.conf is 3 which is what I have already.
edit: I modified the /etc/resolvconf/resolv.conf.d/head to be the following and now the error message has disappeared.
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
nameserver 127.0.0.1
nameserver 8.8.8.8
nameserver 8.8.4.4
Now when I run the following it seems to work
# host -tTXT 2.0.0.127.multi.uribl.com
2.0.0.127.multi.uribl.com descriptive text "permanent testpoint"
Also, checking the file /etc/resolv.conf shows the four name servers. Not sure if this will be a problem or maybe the 127.0.0.53 doesn't count as one???
# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
nameserver 127.0.0.1
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 127.0.0.53
Please sign in to leave a comment.