ESA (Ironport) SenderBase and DNS. How It Works?

Applies to Cisco E-Mail Security Appliance 9.x.x

Thanks to my colleague Sedat Tavukçu for testing and supporting this post.

SenderBase Documentation:

If you read Cisco Email Security Appliance  documentation, review the pictures for Sender Base process you may think that ESA (Ironport) host connects to Sender Base cloud service directly and queries the Sender Base for connecting IP reputation. Which is not the case. (Only, in firewall requirement section in user guide, it says: “Open DNS ports also used for Sender Base”. That you may suspect that ESA Sender Base process queries the DNS server configured for ESA host).

How it Works?

Like any RBL provider, SenderBase works with DNS queries. Actually ESA Host Sender Base process queries its  DNS server configured in ESA console for connecting IP reputation.  DNS server then sends recursive queries (to forwarder then senderbase.org name servers) and returns the result to ESA. So ESA does not directly connect  to Sender Base servers for SBRS queries.

Sender Base Network Capture:

Below is the example network trace for determining the Sender Base  SBRS reputation of connecting IP 94.138.201.71.

Here is the incoming connection from IP 94.138.201.71 logged in mail_logs log file in ESA

Wed May 18 11:38:24 2016 Info: New SMTP ICID 52308141 interface int1 (10.10.10.10) address 94.138.201.71 reverse dns host ns2.ihsdnsx20.com verified yes

Wed May 18 11:38:24 2016 Info: ICID 52308141 ACCEPT SG UNKNOWNLIST match sbrs[0.0:10.0] SBRS 2.9

 Using network capture we see the following packets.

We see  that ESA queries the DNS server DnsServer1 (It is the DNS in configured in ESA Console for ESA Host) for the TXT record:  71.201.138.94.3000000000012.sb-adfe2ko9.senderbase.org

Notice that Recursion desired: Do query recursively flag is 1

Source                                  Destination                           Protocol Length    Info
SmtpEsa1.contoso.com  DnsServer1.contoso.com DNS      114    Standard query 0xff11  TXT 71.201.138.94.3000000000012.sb-adfe2ko9.senderbase.org
Internet Protocol Version 4, Src: SmtpEsa1.contoso.com (10.10.10.10), Dst: DnsServer1.contoso.com (10.20.20.20)
User Datagram Protocol, Src Port: 62496 (62496), Dst Port: 53 (53)
Domain Name System (query)
[Response In: 41]
Transaction ID: 0xff11
Flags: 0x0100 Standard query
0… …. …. …. = Response: Message is a query
.000 0… …. …. = Opcode: Standard query (0)
…. ..0. …. …. = Truncated: Message is not truncated
        …. …1 …. …. = Recursion desired: Do query recursively
…. …. .0.. …. = Z: reserved (0)
…. …. …0 …. = Non-authenticated data: Unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
71.201.138.94.3000000000012.sb-adfe2ko9.senderbase.org: type TXT, class IN
Name: 71.201.138.94.3000000000012.sb-adfe2ko9.senderbase.org
[Name Length: 54]
[Label Count: 8]
Type: TXT (Text strings) (16)
Class: IN (0x0001)

Now, normal DNS recursive dns query process starts. DNSServer1 makes some recursive queires (to its forwarder or root DNS servers) since it does not own the queried domain sb-adfe2ko9.senderbase.org . Eventually It queries the senderbase DNS Servers  (vega-sb-ns1.senderbase.org etc) gets the result for TXT record and responses to ESA.  Including  sb-adfe2ko9.senderbase.org  Authoritative name servers and Additional records.

Source                                       Destination                 Protocol Length    Info
DnsServer1.contoso.com SmtpEsa1.contoso.com  DNS      502    Standard query response 0xff11  TXT
Internet Protocol Version 4, Src: DnsServer1.contoso.com (10.20.20.20), Dst: SmtpEsa1.contoso.com (10.10.10.10)
User Datagram Protocol, Src Port: 53 (53), Dst Port: 62496 (62496)
Domain Name System (response)
Transaction ID: 0xff11
Flags: 0x8180 Standard query response, No error
1… …. …. …. = Response: Message is a response
.000 0… …. …. = Opcode: Standard query (0)
…. .0.. …. …. = Authoritative: Server is not an authority for domain
…. ..0. …. …. = Truncated: Message is not truncated
…. …1 …. …. = Recursion desired: Do query recursively
        …. …. 1… …. = Recursion available: Server can do recursive queries
…. …. .0.. …. = Z: reserved (0)
…. …. ..0. …. = Answer authenticated: Answer/authority portion was not authenticated by the server
…. …. …0 …. = Non-authenticated data: Unacceptable
…. …. …. 0000 = Reply code: No error (0)
Questions: 1
    Answer RRs: 1
    Authority RRs: 8
    Additional RRs: 8
Queries
71.201.138.94.3000000000012.sb-adfe2ko9.senderbase.org: type TXT, class IN
Name: 71.201.138.94.3000000000012.sb-adfe2ko9.senderbase.org
[Name Length: 54]
[Label Count: 8]
Type: TXT (Text strings) (16)
Class: IN (0x0001)
Answers
71.201.138.94.3000000000012.sb-adfe2ko9.senderbase.org: type TXT, class IN
Name: 71.201.138.94.3000000000012.sb-adfe2ko9.senderbase.org
Type: TXT (Text strings) (16)
Class: IN (0x0001)
Time to live: 16658
Data length: 41
TXT Length: 40
TXT: 0-1=IHS TELEKOMUNIKASYON|4=3041977|48=24
Authoritative nameservers
sb-adfe2ko9.senderbase.org: type NS, class IN, ns vega-sb-ns1.senderbase.org
Name: sb-adfe2ko9.senderbase.org
Type: NS (authoritative Name Server) (2)
Class: IN (0x0001)
Time to live: 1
Data length: 14
Name Server: vega-sb-ns1.senderbase.org
sb-adfe2ko9.senderbase.org: type NS, class IN, ns sv4-sb-ns3.senderbase.org
Name: sb-adfe2ko9.senderbase.org
Type: NS (authoritative Name Server) (2)
Class: IN (0x0001)
Time to live: 1
Data length: 13
Name Server: sv4-sb-ns3.senderbase.org
…..
Additional records
sv4-sb-ns2.senderbase.org: type A, class IN, addr 184.94.241.31
Name: sv4-sb-ns2.senderbase.org
Type: A (Host Address) (1)
Class: IN (0x0001)
Time to live: 1
Data length: 4
Address: sv4-sb-ns2.senderbase.org (184.94.241.31)
sv4-sb-ns3.senderbase.org: type A, class IN, addr 184.94.241.32
Name: sv4-sb-ns3.senderbase.org
Type: A (Host Address) (1)
Class: IN (0x0001)
Time to live: 1
Data length: 4
Address: sv4-sb-ns3.senderbase.org (184.94.241.32)
…..

Then ESA sends one more query to DnsServer1 for the TXT record 1-954f520b16ed07d75fab644260cdf4b0.71.201.138.94.v1x2s.rf-adfe2ko9.senderbase.org

Source                            Destination                 Protocol Length    Info
SmtpEsa1.contoso.com  DnsServer1.contoso.com DNS      141    Standard query 0x1d9d  TXT 1-954f520b16ed07d75fab644260cdf4b0.71.201.138.94.v1x2s.rf-adfe2ko9.senderbase.org
Internet Protocol Version 4, Src: SmtpEsa1.contoso.com (10.10.10.10), Dst: DnsServer1.contoso.com (10.20.20.20)
User Datagram Protocol, Src Port: 57018 (57018), Dst Port: 53 (53)
Domain Name System (query)
[Response In: 4080]
Transaction ID: 0x1d9d
Flags: 0x0100 Standard query
0… …. …. …. = Response: Message is a query
.000 0… …. …. = Opcode: Standard query (0)
…. ..0. …. …. = Truncated: Message is not truncated
…. …1 …. …. = Recursion desired: Do query recursively
…. …. .0.. …. = Z: reserved (0)
…. …. …0 …. = Non-authenticated data: Unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
1-954f520b16ed07d75fab644260cdf4b0.71.201.138.94.v1x2s.rf-adfe2ko9.senderbase.org: type TXT, class IN
Name: 1-954f520b16ed07d75fab644260cdf4b0.71.201.138.94.v1x2s.rf-adfe2ko9.senderbase.org
[Name Length: 81]
[Label Count: 9]
Type: TXT (Text strings) (16)
Class: IN (0x0001)

And DnsServer1 responds to the TXT query: TXT: |0=2.9|1=0.0|2=0.3909|3=0.5|7=AvNDhNIaN|10=0,0|. This field contains SBRS values observed  in mail_logs log.

Source                              Destination               Protocol Length    Info
DnsServer1.contoso.com SmtpEsa1.contoso.com  DNS      553    Standard query response 0x1d9d  TXT
Internet Protocol Version 4, Src: DnsServer1.contoso.com (10.20.20.20), Dst: SmtpEsa1.contoso.com (10.10.10.10)
User Datagram Protocol, Src Port: 53 (53), Dst Port: 57018 (57018)
Domain Name System (response)
Transaction ID: 0x1d9d
Flags: 0x8180 Standard query response, No error
1… …. …. …. = Response: Message is a response
.000 0… …. …. = Opcode: Standard query (0)
…. .0.. …. …. = Authoritative: Server is not an authority for domain
…. ..0. …. …. = Truncated: Message is not truncated
…. …1 …. …. = Recursion desired: Do query recursively
…. …. 1… …. = Recursion available: Server can do recursive queries
…. …. .0.. …. = Z: reserved (0)
…. …. ..0. …. = Answer authenticated: Answer/authority portion was not authenticated by the server
…. …. …0 …. = Non-authenticated data: Unacceptable
…. …. …. 0000 = Reply code: No error (0)
Questions: 1
Answer RRs: 1
Authority RRs: 8
Additional RRs: 6
Queries
1-954f520b16ed07d75fab644260cdf4b0.71.201.138.94.v1x2s.rf-adfe2ko9.senderbase.org: type TXT, class IN
Name: 1-954f520b16ed07d75fab644260cdf4b0.71.201.138.94.v1x2s.rf-adfe2ko9.senderbase.org
[Name Length: 81]
[Label Count: 9]
Type: TXT (Text strings) (16)
Class: IN (0x0001)
Answers
1-954f520b16ed07d75fab644260cdf4b0.71.201.138.94.v1x2s.rf-adfe2ko9.senderbase.org: type TXT, class IN
Name: 1-954f520b16ed07d75fab644260cdf4b0.71.201.138.94.v1x2s.rf-adfe2ko9.senderbase.org
Type: TXT (Text strings) (16)
Class: IN (0x0001)
Time to live: 1000
Data length: 48
TXT Length: 47
TXT: |0=2.9|1=0.0|2=0.3909|3=0.5|7=AvNDhNIaN|10=0,0|
Authoritative nameservers
rf-adfe2ko9.senderbase.org: type NS, class IN, ns sv4-sbrs-ns4.senderbase.org
Name: rf-adfe2ko9.senderbase.org
Type: NS (authoritative Name Server) (2)
Class: IN (0x0001)
Time to live: 107
Data length: 15
…..

Additional records
sv4-sbrs-ns2.senderbase.org: type A, class IN, addr 184.94.241.20
Name: sv4-sbrs-ns2.senderbase.org
Type: A (Host Address) (1)
Class: IN (0x0001)
Time to live: 107
Data length: 4
….

Note: Authoritative nameservers and Additional records fields are truncated . (8- 6 records) for readability.

More Information:

If you observe too many SBRS unable to retrieve errors in the mail_logs log,  high CPU utilization due to too many spam mail processing, spam mail delivery, workqueue problems  you may suspect that  Sender Base queries do not work at all and do not block spammer IPs. The cause of the problem may be the  DNS Server poor performance or poor Internet connection.

Cisco Recommends to use Root DNS Servers:

Tactics to Mitigate Work Queue Backups

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118265-technote-esa-00.html

Root DNS Server usage will increase the Internet Connection utilization slightly. Local DNS server caches the results and it is connected via LAN.

If you decided to use Root DNS servers, ESA cannot resolve PTR records of internal relaying servers. As a result there is some delay for outgoing mails to internet. Because ESA, by default, tries to resolve FQDN of every connecting IP until DNS time out value. This can be a serious problem in case of bulk mailing applications. You can just go a head and add Reverse Lookup Zones for your Internal IPs. and add  internal DNS Servers to Alternate DNS servers Overrides  section on DNS configuration page in ESA console.

Advertisements
Gallery | This entry was posted in Cisco Email Security (Ironport) and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s