Articles in this section

See more

Plesk Email Security: DNS caching is disabled! Please use a local DNS server to improve SPAM recognition via blocklists (for instance systemd-resolved)

Avatar
Mikhail Shport
Updated
Follow
kb: technical ext: pes ABT: Group B Plesk Obsidian for Linux

Applicable to:

  • Plesk Obsidian for Linux

Symptoms

  • Plesk Email Security shows the warning below after some time of a correct work:

    PLESK_WARN: DNS caching is disabled! Please use a local DNS server to improve SPAM recognition via blocklists (for instance systemd-resolved).

  • The following records might be found in /var/log/plesk/panel.log with enabled debug logging:

    CONFIG_TEXT: DEBUG [extension/email-security] [5e3e3f7a584fa] Starting: '/opt/psa/admin/bin/filemng' 'root' 'exec' '/' 'bash' '-c' 'host -tTXT 2.0.0.127.multi.uribl.com' '--allow-root', stdin:
    DEBUG [extension/email-security] [5e3e3f7a584fa] Finished in 0.11335s, Error code: 0, stdout: 2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 230.0.113.2]" \

  • The manual check returns the same message:

    # host -tTXT 2.0.0.127.multi.uribl.com
    2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 230.0.113.2]"

Cause

Local DNS server (for caching) is not configured on the server.

When a server has many incoming/outgoing emails that come through spam check by block lists, for example, URIBL it might abuse DNS public lookup provided by such services and get a block after certain amount of successful checks. After that, a corresponding warning appears in Plesk Email Security extension.

Resolution

Warning: Configuration of the local DNS server to cache requests is the tasks that has to be configured by a server administrator.

Configure local DNS server to decrease the load on public DNS servers and avoid blocks from URIBL side.
For example, systemd-resolved can be configured as described here: https://geekflare.com/linux-server-local-dns-caching/

Example steps for BIND DNS server shipped with Plesk:

  1. Install the BIND DNS server component if it's not yet:

    Log into Plesk > Tools & Settings > Updates > Add and Remove Product Components > BIND DNS server > Install

  2. Connect to the server via SSH.

  3. Run a check against the test point:

    # host -tTXT 2.0.0.127.multi.uribl.com

    Usually, if caching is not enabled the response is:

    CONFIG_TEXT: 2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 203.0.113.2]"

  4. Run named-checkconf to check for syntax error in the configuration files:

    # named-checkconf

  5. Add the local nameserver to the /etc/resolv.conf file:

    # vi /etc/resolv.conf

    add to the top of the file:

    CONFIG_TEXT: nameserver 127.0.0.1

  6. Restart BIND service (named-chroot for CentOS, bind9 is Ubuntu/Debian):

    # service named-chroot restart

  7. Check that the service is running:

    # service named-chroot status

  8. Wait a few minutes and then run the check against the endpoint again:

    # host -tTXT 2.0.0.127.multi.uribl.com

    This time the response should be:

    CONFIG_TEXT: 2.0.0.127.multi.uribl.com descriptive text "permanent testpoint"

Note: If URIBL is not needed it might be simply disabled:

  1. Log into Plesk
  2. Go to Extensions > My extensions> Plesk Email Security > Server Settings tab > Advanced > DNSBL
  3. Switch off the URIBL block list

Comments

5 comments

Sort by Date Votes
  • Avatar
    Andrei L

    Hi,

     

    Can this be updated for Plesk Obsidian, Ubuntu 18?

    service named-chroot restart
    Failed to restart named-chroot.service: Unit named-chroot.service not found.

    service named-chroot status
    Unit named-chroot.service could not be found.

    0
    Comment actions Permalink
  • Avatar
    Julian Bonpland Mignaquy

    Andrei L 
    Please check step 6:

    Restart BIND service (named-chroot for CentOS, bind9 is Ubuntu/Debian):

    So for Ubuntu it should be # service bind9 restart

    0
    Comment actions Permalink
  • Avatar
    To Wei

    I don't think the instructions are entirely correct. Manual changes in the /etc/resolv.conf file are overwritten with each restart of the server or the systemd-resolve service.

    1
    Comment actions Permalink
  • Avatar
    Mauro Elias Morone

    I received the warning message "DNS caching is disabled!".

    I correctly followed the instructions receiving at the end the message "permanent testpoint" and that appears to be configured well, in fact the previous warning message there have disappeared.

    But the weird fact is that if I input again the command for the status info, all the lines at the end named[xxxxx] etc... appears to be with a connection error, also if I add the "nameserver 127.0.0.1" on top of the other IP I have in that file, or also in case I leave there only nameserver 127.0.0.1 for example (deleting the other IP I have there).
    I tried all the combination, and in any case there will be a connection error in those lines named[xxxxx] at the end.

    Only if I don't insert "nameserver 127.0.0.1" on the top of that file (leaving all in the previous way), all the connection named[xxxxx] using the command "service .. status" are confirmed.

    So I leaved all in the previous way.

    0
    Comment actions Permalink
  • Avatar
    Mark Pryor (Edited )

    These instructions are odd to me. I'm on Ubuntu.  these are the entries in /etc/resolvconf/resolv.conf.d/head

    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    # 127.0.0.53 is the systemd-resolved stub resolver.
    # run "systemd-resolve --status" to see details about the actual nameservers.
    nameserver 8.8.8.8 
    nameserver 8.8.4.4

    Do I need to add nameserver 127.0.0.1 there as well?   I have read that the maximum number of nameservers in /etc/resolv.conf is 3 which is what I have already.

    edit:  I modified the /etc/resolvconf/resolv.conf.d/head to be the following and now the error message has disappeared.  

    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    # 127.0.0.53 is the systemd-resolved stub resolver.
    # run "systemd-resolve --status" to see details about the actual nameservers.
    nameserver 127.0.0.1
    nameserver 8.8.8.8
    nameserver 8.8.4.4

    Now when I run the following it seems to work

    # host -tTXT 2.0.0.127.multi.uribl.com
    2.0.0.127.multi.uribl.com descriptive text "permanent testpoint"

    Also, checking the file /etc/resolv.conf shows the four name servers.  Not sure if this will be a problem or maybe the 127.0.0.53 doesn't count as one???

    # cat /etc/resolv.conf
    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    # 127.0.0.53 is the systemd-resolved stub resolver.
    # run "systemd-resolve --status" to see details about the actual nameservers.
    nameserver 127.0.0.1
    nameserver 8.8.8.8
    nameserver 8.8.4.4
    nameserver 127.0.0.53

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles