Plesk Email Security: DNS caching is disabled! Please use a local DNS server to improve SPAM recognition via blocklists (for instance systemd-resolved)

Dmitry Bystrov

3 months ago

Symptoms

Plesk Email Security shows the warning below after some time of a correct work:

DNS caching is disabled! Please use a local DNS server to improve SPAM recognition via blocklists (for instance systemd-resolved).
The following records might be found in /var/log/plesk/panel.log with enabled debug logging:

DEBUG [extension/email-security] [5e3e3f7a584fa] Starting: '/opt/psa/admin/bin/filemng' 'root' 'exec' '/' 'bash' '-c' 'host -tTXT 2.0.0.127.multi.uribl.com' '--allow-root', stdin:
DEBUG [extension/email-security] [5e3e3f7a584fa] Finished in 0.11335s, Error code: 0, stdout: 2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 230.0.113.2]"
The manual check returns the same message:

# host -tTXT 2.0.0.127.multi.uribl.com
2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 230.0.113.2]"

Cause

Local DNS server (for caching) is not configured on the server.

When a server has many incoming/outgoing emails that come through spam check by block lists, for example, URIBL it might abuse DNS public lookup provided by such services and get a block after certain amount of successful checks. After that, a corresponding warning appears in Plesk Email Security extension.

Resolution

Warning: Configuration of the local DNS server to cache requests is the tasks that has to be configured by a server administrator.

Configure local DNS server to decrease the load on public DNS servers and avoid blocks from URIBL side.
For example, systemd-resolved can be configured as described here: https://geekflare.com/linux-server-local-dns-caching/

Example steps for BIND DNS server shipped with Plesk:

Install the BIND DNS server component if it's not yet:

Log into Plesk > Tools & Settings > Updates > Add and Remove Product Components > BIND DNS server > Install
Connect to the server via SSH.
Run a check against the test point:

# host -tTXT 2.0.0.127.multi.uribl.com

Usually, if caching is not enabled the response is:

2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 203.0.113.2]"
Run named-checkconf to check for syntax error in the configuration files:

# named-checkconf
Add the local nameserver to the /etc/resolv.conf file:

# vi /etc/resolv.conf

add to the top of the file:

nameserver 127.0.0.1
Restart BIND service (named-chroot for CentOS, bind9 is Ubuntu/Debian):

# service named-chroot restart || service bind9 restart
Check that the service is running:

# service named-chroot status || service bind9 restart
Wait a few minutes and then run the check against the endpoint again:

# host -tTXT 2.0.0.127.multi.uribl.com

This time the response should be:

2.0.0.127.multi.uribl.com descriptive text "permanent testpoint"

Note: If URIBL is not needed it might be simply disabled:

Log into Plesk
Go to Extensions > My extensions> Plesk Email Security > Server Settings tab > Advanced > DNSBL
Switch off the URIBL block list

0 Shares