On 1 Mar 2017, at 17:00, Robert Sharp wrote:
I was prompted from reading a recent post to check whether my
postscreen set up was picking up Spamhaus responses. Quick grep
through my logs confirmed that it was not. Seems I am in a bit of Bind
(sorry for the pun). If I use Google's DNS I dont get a response from
zen.spamhaus.org. If I use my ISP's DNS I will but my ISP also hijacks
NXDOMAIN responses as I was reminded last night when postscreen
blocked everything. I am now looking at setting up my own unbound
server, but I wondered if there was a quicker solution.
Any mail server should use a recursive caching resolver on the same host
or on a low-latency directly attached network.
Can I use the filter option to ignore those hijacked responses? For
example:
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[0..127]*3
That should work and it is always best to specify the desired result(s)
for any DNSBL use.
You will still be at risk of Spamhaus blocking your ISP's DNS resolvers,
which they do for ISPs whose resolvers make too many queries. A local
unbound resolver is easy to set up and will give you better performance
while sparing you the risk of being blocked for other peoples query
volume.
