Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 9652 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS lookup for xx.x.xxx.xx.black.rbl.ctipd.astaro.local. failed

ulfthomas

Hi guys.

I've been seeing the following error lately on my UTM and I cannot for the life of me understand why. Is there anyone that has some insight? :)

Running Sophos UTM 9.506-2 and this is from the packetfilter log. This is an excert and it seem to fail on all IPs supplied to it. I have temporarily disabled "Block clients with bad reputation" to suppress the problem but would really like to enable it again.

Thanks in advance.

2018:01:16-11:13:23 router httpd[8883]: [authz_blacklist:warn] [pid 8883:tid 4096068464] [client xx.x.xxx.xx:58423] DNS lookup for xx.x.xxx.xx.black.rbl.ctipd.astaro.local. failed: Temporary failure in name resolution
2018:01:16-11:13:23 router httpd[8883]: [authz_blacklist:warn] [pid 8883:tid 4129639280] [client xx.x.xxx.xx:58420] DNS lookup for xx.x.xxx.xx.black.rbl.ctipd.astaro.local. failed: Temporary failure in name resolution
2018:01:16-11:13:23 router httpd[8883]: [authz_blacklist:warn] [pid 8883:tid 4079283056] [client xx.x.xxx.xx:58426] DNS lookup for xx.x.xxx.xx.black.rbl.ctipd.astaro.local. failed: Temporary failure in name resolution
2018:01:16-11:13:24 router httpd[8883]: [authz_blacklist:warn] [pid 8883:tid 4070890352] [client xx.x.xxx.xx:58427] DNS lookup for xx.x.xxx.xx.black.rbl.ctipd.astaro.local. failed: Temporary failure in name resolution
2018:01:16-11:13:24 router httpd[8883]: [authz_blacklist:warn] [pid 8883:tid 4112853872] [client xx.x.xxx.xx:58421] DNS lookup for xx.x.xxx.xx.black.rbl.ctipd.astaro.local. failed: Temporary failure in name resolution

 

BR

Ulf Thomas




[locked by: BAlfson at 3:41 PM (GMT -8) on 17 Jan 2018]
Parents
  • 0

    Hi Ulf,

    When you configure your WAF Firewall profile to block clients with a bad reputation, Sophos UTM will do a reputation lookup and take action according to the classification provided from:

    • Commtouch IP Reputation (ctipd.org)
    • http.dnsbl.sorbs.net

    The GeoIP source is Maxmind. The blocked clients could be mobile users and might be locked because the WAF blocks clients that belong to one of the following Maxmind categories:

    • A1: Anonymous proxies or VPN services used by clients to hide their IP address or their original geographical location.
    • A2: Satellite providers are ISPs that use satellites to provide Internet access to users all over the world, often from high-risk countries.

    I would recommend you to check the remote IP addresses reputation or when you select the option, "Block clients with a bad reputation" it will give you a sub-option to "Skip remote lookups for clients with bad reputation", select that option to avoid lookup and use the cached information. 

    Hope that helps.

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi,

    And thanks for the quick reply. I have two follow-up questions:

    1) This happens to all ip’s hitting the webservers with a profile configured to block clients with a bad reputation. They can’t all be bad? ;)

    2) I might be wrong but dosen’t this error indicate problem performing the actual lookup rather than finding the given ip in the database?

    Ulf T.

Reply
  • 0 in reply to sachingurung

    Hi,

    And thanks for the quick reply. I have two follow-up questions:

    1) This happens to all ip’s hitting the webservers with a profile configured to block clients with a bad reputation. They can’t all be bad? ;)

    2) I might be wrong but dosen’t this error indicate problem performing the actual lookup rather than finding the given ip in the database?

    Ulf T.

Children
  • 0 in reply to ulfthomas

    I have now checked a few of the ip's reported and all except one where not listed in any of the major lists.

    This leads me to think that there must be a configuration issue on my firewall which I am unable to find.


    Please share any insights. :)

     

    Thomas

  • 0 in reply to ulfthomas

    On an unrelated topic I discovered the following section in my /var/chroot-bind/named.conf:

    zone "ctipd.astaro.local." IN {
    type forward;
    forward only;
    forwarders { 127.0.0.1 port 54; };

     

    From how I understand the IP lookups should be going to the localhost on port 54 - problem being nothing is listening on that port. Related?

Unfiltered HTML