Am 26.11.2014 um 15:07 schrieb David F. Skoll:
On Wed, 26 Nov 2014 14:10:04 +0100 Reindl Harald <h.rei...@thelounge.net> wrote:the unbound stats on our inbound MX saying the oppositeHow much of those are DNSBL lookups against DNSBLs with short TTLs?
looks like i realize the cause of your completly different expierience * by default postscreen does RBL caching postconf -d postscreen_dnsbl_ttl postscreen_dnsbl_ttl = 1h postconf -n postscreen_dnsbl_ttl postscreen_dnsbl_ttl = 5m * unbound supports min and max TTL cache-min-ttl: 270 cache-max-ttl: 3600well, i lowered the default 1 hour postscreen caching to 5 minutes because 1 hour feels too high given that a NXDOMAIN is also cached
i was even not aware that RBL's use *that* low TTLs of a few seconds to zero, but from my expierience around 5 minutes caching are for 99% of all cases accurate enough and the idea was more to keep things fast at high load
on the other hand the 3600 seconds max-ttl on the inbound MX (with it's own recursing caching nameserver forwarding some mirrored zones to a rbldnsd on 127.0.0.1:1053) is intented to get fixed DNS errors of the sending domain (PTR fixes after rejects and so on) earlier instead penalty them for 24 hours in the worst case
that this helps to not exceed RBL limits is a unintentional side-effect of other optimizings and considerations while i would *highly* recommend such settings - faced days with 500000 spam attempts and in that case fire up multiple dns queries to the WAN all the time is not funny :-)
signature.asc
Description: OpenPGP digital signature
