David B Funk schrieb am 10.05.2018 um 20:23:
On Thu, 10 May 2018, John Hardin wrote:
On Thu, 10 May 2018, Matthew Broadhead wrote:
On 09/05/18 20:43, David Jones wrote:
On 05/09/2018 01:29 PM, Matthew Broadhead wrote:
On 09/05/18 16:37, Reindl Harald wrote:
quoting URIBL_BLOCKED is a joke - setup a *recursion*
*non-forwarding*
nameserver, no dnsmasq or such crap
http://uribl.com/refused.shtml
with your setup you excedd *obviously* rate-limits and have most
DNSBL/URIBL not working and so you can't expect useful results at
all
X-Spam-Status: No, score=-18.15 tagged_above=-999 required=6.2
tests=[AM.WBL=-3, BAYES_00=-1.9,
HEADER_FROM_DIFFERENT_DOMAINS=0.25,
MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5]
autolearn=ham autolearn_force=no
i followed the guidance at that url and it gave me
[root@ns1 ~]# host -tTXT 2.0.0.127.multi.uribl.com
2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query
Refused. See http://uribl.com/refused.shtml for more information
[Your DNS IP: 213.171.193.134]"
i guess my dns is set to use my isp's dns server. do i need to
set up dns relay on my machine so it comes from my ip?
there is no way we send more than 500k emails from our domain so i
should qualify for the free lookup?
Yes. Setup BIND, unbound, or pdns_recursor on your SA server that
is not forwarding to another DNS server then set your
/etc/resolv.conf or SA dns_server to 127.0.0.1. This will make
your DNS queries isolated from your IP to stay under their daily
limit.
Keep in mind that if your SA box is behind NAT that is not
dedicated to your server then other DNS queries could get combined
with your shared public IP. This is not likely since others are
not going to query RBL/URIBL servers but it's possible. If your SA
server is directly on the Internet as an edge mail gateway then
this won't be a problem.
i already had bind handling my dns. i just had to add to
/etc/named.conf
allow-query-cache {localhost; any;};
recursion yes;
Don't forget to *turn off forwarding*.
and to /etc/resolv.conf
nameserver 127.0.0.1
That is the most important point in this whole discussion.
It doesn't matter (much) what DNS server/software you use so long as
it supports recursive NON-FORWARDED queries.
Caching is desirable but is only a secondary consideration VS the
first point.
Security point; when you run a recursive server it is a potential DDOS
risk, so protect it from being used/abused by untrusted clients. (best
if it only listens on the loopback address, 127.* or has strong
ACL/access control support that is properly configured).
I saw in the above quotes that Matthew opened his server to answer any
recursive query - this is what it makes a security risk if that server
is directly facing the internet. If you have a server like I do that
hosts the primary (or secondary) dns zone for your domain and running
the mail server, you want to allow dns recursion only on local queries
and disable recursion for everyone else, while still allowing
non-recursive queries for your zone. You achieve this with bind:
allow-query { any; };
allow-query-cache { localhost; };
allow-recursion { localhost; };
Important is localhost only for allow-query-cache and allow-recursion.
Matthew has an "any;" included and global recursion yes - remove this!
If you need this on a public facing server, you're doing something
wrong. Don't put a recursive DNS server online these days.
Alex
