On Thu, 10 May 2018, John Hardin wrote:
On Thu, 10 May 2018, Matthew Broadhead wrote:
On 09/05/18 20:43, David Jones wrote:
On 05/09/2018 01:29 PM, Matthew Broadhead wrote:
On 09/05/18 16:37, Reindl Harald wrote:
quoting URIBL_BLOCKED is a joke - setup a *recursion* *non-forwarding*
nameserver, no dnsmasq or such crap
http://uribl.com/refused.shtml
with your setup you excedd *obviously* rate-limits and have most
DNSBL/URIBL not working and so you can't expect useful results at all
X-Spam-Status: No, score=-18.15 tagged_above=-999 required=6.2
tests=[AM.WBL=-3, BAYES_00=-1.9,
HEADER_FROM_DIFFERENT_DOMAINS=0.25,
MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5]
autolearn=ham autolearn_force=no
i followed the guidance at that url and it gave me
[root@ns1 ~]# host -tTXT 2.0.0.127.multi.uribl.com
2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused.
See http://uribl.com/refused.shtml for more information [Your DNS IP:
213.171.193.134]"
i guess my dns is set to use my isp's dns server. do i need to set up
dns relay on my machine so it comes from my ip?
there is no way we send more than 500k emails from our domain so i should
qualify for the free lookup?
Yes. Setup BIND, unbound, or pdns_recursor on your SA server that is not
forwarding to another DNS server then set your /etc/resolv.conf or SA
dns_server to 127.0.0.1. This will make your DNS queries isolated from
your IP to stay under their daily limit.
Keep in mind that if your SA box is behind NAT that is not dedicated to
your server then other DNS queries could get combined with your shared
public IP. This is not likely since others are not going to query
RBL/URIBL servers but it's possible. If your SA server is directly on the
Internet as an edge mail gateway then this won't be a problem.
i already had bind handling my dns. i just had to add to /etc/named.conf
allow-query-cache {localhost; any;};
recursion yes;
Don't forget to *turn off forwarding*.
and to /etc/resolv.conf
nameserver 127.0.0.1
That is the most important point in this whole discussion.
It doesn't matter (much) what DNS server/software you use so long as it supports
recursive NON-FORWARDED queries.
Caching is desirable but is only a secondary consideration VS the first point.
Security point; when you run a recursive server it is a potential DDOS risk, so
protect it from being used/abused by untrusted clients. (best if it only listens
on the loopback address, 127.* or has strong ACL/access control support that is
properly configured).
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
