Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNS reverse lookup reliability #498

Open
rodpayne opened this issue Mar 27, 2024 · 5 comments
Open

DNS reverse lookup reliability #498

rodpayne opened this issue Mar 27, 2024 · 5 comments

Comments

@rodpayne
Copy link
Contributor

I am finding that my DNS reverse lookups are not doing very well. Looking at Grafana, the top listed items in Top 1000 Message Source IP Addresses do not have Base Domain or Reverse DNS. If I use nslookup to check the IP address, they almost always come up without problem.

I have tried various nameservers and increased dns_timeout, without seeing much improvement.

I am wondering if other users of the (really fantastic) parsedmarc are having a similar problem.

  1. Has anyone looked at making a script or program to inquire in elasticsearch for the top addresses that do not have the info, try looking them up, and then do an update query to replace the records with the updated info? (That is what I may do if I can't figure out what is going wrong with the original lookups.)

  2. I am also looking at only updating IP_ADDRESS_CACHE when the get_ip_address_info succeeds in getting the info. That may keep it from compounding the lookup problem.
@Kuzuto
Copy link
Contributor

Kuzuto commented Mar 27, 2024
edited
Loading

I also noticed that. Haven't had time to look at it if it's my DNS that was failing.
Your workaround #1 could be a quick fix for now.

@Szasza
Copy link
Contributor

Szasza commented Mar 30, 2024
edited
Loading

@rodpayne :

The issue is definitely there. I am currently using parsedmarc in multiple production workloads, both in Lambda and in other containerised environments, and the fields are empty.

I haven't started looking into the issue yet in more depth, planned to do it on the coming Monday. Given that dig -x and nslookup works fine on the IP addresses, and so does parsedmarc's get_ip_address_info's reverse DNS lookup, the list of potential culprits is rather narrow.

As for an approach, I think there is no need for updating existing findings in ElasticSearch as:

  • Re-processing the files, even for a couple of thousands of reports, doesn't take a lot of time.
  • Unless there is a forensic need, starting correctly populating the reverse lookup data is more important than making sure that a couple of months old data is retrofitted, especially considering the previous point.

@rodpayne if you are ok with that, I am happy to work on fixing the core issue, and you can look at writing a separate, standalone snippet which can retrofit existing data in an ElasticSearch/OpenSearch data storage.

@Szasza
Copy link
Contributor

Szasza commented Mar 30, 2024
edited
Loading

I have done some tinkering and it seems like that with the latest version, 8.10.3 the reverse DNS lookup data population is working fine. Previously, with version 8.9.4 the fields were missing.

That being said 8.10.3 introduces a potential security issue as per #500 .

@rodpayne
Copy link
Contributor Author

Yes, 8.10.3 does seem to have fixed the reverse lookup problem. (I thought that I had fixed it by changing my Docker networking last night, but I had also built with the current code.)

Item 2 above is in pull request #501.

FYI, I am just starting to use parsedmarc and have processed over 9 million messages covering the past 30 days, so that is why I was reluctant to start over.

seanthegeek added a commit that referenced this issue Apr 2, 2024
@seanthegeek
8.11.0
6a06d01 
- Actually save `source_type` and `source_name` to Elasticsearch and OpenSearch
- Reverse-lookup cache improvements (PR #501 closes issue #498)
- Update the included `dbip-country-lite.mmdb` to the 2024-03 version
- Update `base_reverse_dns_map.csv`
- Add new general config options (closes issue #500)
  - `always_use_local_files` - Disables the download of the reverse DNS map
  - `local_reverse_dns_map_path` - Overrides the default local file path to use for the reverse DNS map
  - `reverse_dns_map_url` - Overrides the default download URL for the reverse DNS map
@Kuzuto
Copy link
Contributor

Kuzuto commented Apr 13, 2024

I think the new Reverse DNS lookup on 8.10.3 has created new issues.
I have many more invalid reports, then before. Both from Google and Microsoft. So that seems wrong.
Digging into it, it looks like the reverse lookup code, when fails to resolve, is failing the whole report as invalid.
Before I can see the base_domain field was empty, when the reverse lookup failed. So the report was still parsed, and not total failed.
I'm going to do some testing in the next couple of days. But have any other also more invalid reports from 8.10.3 and up ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Szasza @Kuzuto @rodpayne