On Sun, Feb 8, 2009 at 2:18 PM, Victor Duchovni <victor.ducho...@morganstanley.com> wrote: > On Sun, Feb 08, 2009 at 02:02:14PM +0800, jan gestre wrote: > >> > You should not use OpenDNS or any similar external DNS forwarder with >> > Postfix. Especially, when doing RBL lookups. Just run a stand-alone DNS >> > cache on your system (127.0.0.1). If you are behind a NAT device that >> > de-randomizes UDP query ports, you are likely vulnerable to the Kaminsky >> > attack... Running a SOHO incoming mail server is getting increasingly >> > difficult, you may need a real SMTP server at a hosting facility. >> > >> >> Postfix is behind a NAT device (pfSense) that does dnsmasq (dns >> forwarder), no machine is allowed to connect to port 53 except the NAT >> device. > > This does not protect you from the Kaminsky attack. A cryptographically > strong port-randomizing NAT is required. Most consumer NAT devices > probably don't measure up... In any case, it is still likely that your > RBL hits are a result of your DNS configuration. Good luck. >
Where is the best place to put the DNS caching resolver? in the NAT device? or in the Mail Server itself? TIA
