On 03/03/17 20:22, Bill Cole wrote:
On 1 Mar 2017, at 17:00, Robert Sharp wrote:
I was prompted from reading a recent post to check whether my
postscreen set up was picking up Spamhaus responses. Quick grep
through my logs confirmed that it was not. Seems I am in a bit of
Bind (sorry for the pun). If I use Google's DNS I dont get a response
from zen.spamhaus.org. If I use my ISP's DNS I will but my ISP also
hijacks NXDOMAIN responses as I was reminded last night when
postscreen blocked everything. I am now looking at setting up my own
unbound server, but I wondered if there was a quicker solution.
Any mail server should use a recursive caching resolver on the same
host or on a low-latency directly attached network.
Can I use the filter option to ignore those hijacked responses? For
example:
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[0..127]*3
That should work and it is always best to specify the desired
result(s) for any DNSBL use.
You will still be at risk of Spamhaus blocking your ISP's DNS
resolvers, which they do for ISPs whose resolvers make too many
queries. A local unbound resolver is easy to set up and will give you
better performance while sparing you the risk of being blocked for
other peoples query volume.
Sorry - I sent a reply but it seems I messed up and sent it to Kevin
Miller (sorry Kevin). Anyway, I take all of your points. This is on a
Gentoo box with SELinux that is running as my router, dns/dhcp and mail
relay. I am using Dnsmasq for the dns/dhcp. I realised (in the dead of
night) that I could avoid a lot of problems by keeping dnsmasq as it is,
setting up Unbound as a simple recursive resolver, that I have just
tested without upsetting anyone else, and then just switching from
Google's DNS to my local Unbound. That bit will have to wait while I
sort out the inevitable AVCs that result from doing anything new on
SELinux.
Thanks for the help.
Robert
