On Fri, 11 Oct 2002, David Morris wrote: > If my SMTP proxy is using the DNS for the RBL lookup, then is it using the > DNS configured as the external DNS? If so, I wouldn't wan't to subscribe > on behalf of all of my ISPs DNS clients.
(I just verified some information with our developers, to be sure.) It will use your external nameservers, in listed order. > Then my question remains, what IP is used for the queries outbound from my > DNS? The DNS IP used to contact the DNS externally OR the primary address > assigned to my EXT interface and hence used for NATed requests? If your configured external nameserver is inside your GNATBox protected networks: If you have an explicit static map in place for your internal DNS server (for example, your internal DNS server is 192.168.71.50. If you have an static map in place that maps 192.168.71.50 to a specific external address, then that external address will be the source of the requests. If you do not have a specific mapping, the primary address of your external interface will be the source address. > Also, are you sure that the SMTP proxy uses a local DNS for the RBL query? It uses standard DNS lookup routines. It sends its request to the first listed recursive server. (if that listed server is merely a forwarder, it will forward the request to an apropriate recursive server) If the first listed server fails to reply, it moves on to the second listed server. That server asks the root servers who is authorative for the TLD. (.com, .org, .net, etc) The recursive server then asks the authorative servers for the TLD who's responsible...and so on. The recursive server, unless configured otherwise, will cache this information so it doesnt have to retrieve it as frequently. A manual example: why:/home/keen%> dnsq ns 2.0.0.127.spews.relays.osirusoft.com a.root-servers.net 2 2.0.0.127.spews.relays.osirusoft.com: 479 bytes, 1+0+13+13 records, response, noerror query: 2 2.0.0.127.spews.relays.osirusoft.com authority: com 172800 NS a.gtld-servers.net authority: com 172800 NS g.gtld-servers.net authority: com 172800 NS h.gtld-servers.net authority: com 172800 NS c.gtld-servers.net (snip. more gtld-servers follow) why:/home/keen%> dnsq ns 2.0.0.127.spews.relays.osirusoft.com a.gtld-servers.net 2 2.0.0.127.spews.relays.osirusoft.com: 183 bytes, 1+0+4+4 records, response, noerror query: 2 2.0.0.127.spews.relays.osirusoft.com authority: osirusoft.com 172800 NS ns1.osirusoft.com authority: osirusoft.com 172800 NS ns2.osirusoft.com authority: osirusoft.com 172800 NS ns3.osirusoft.com authority: osirusoft.com 172800 NS ns4.osirusoft.com (snip) why:/home/keen%> dnsq txt 2.0.0.127.spews.relays.osirusoft.com ns2.osirusoft.com 16 2.0.0.127.spews.relays.osirusoft.com: 318 bytes, 1+1+2+10 records, response, authoritative, weird ra, noerror query: 16 2.0.0.127.spews.relays.osirusoft.com answer: 2.0.0.127.spews.relays.osirusoft.com 43200 16 )[1]\040TEST,\040see\040http://spews.org/ask.cgi?S1 authority: relays.osirusoft.com 43200 NS ns1-relays.osirusoft.com authority: relays.osirusoft.com 43200 NS ns2-relays.osirusoft.com (snip) If you still plan on signing up with MAPS, it would probably be a good idea to set up a new recursive server to use for "external" dns requests. It would be a good idea to put it in a PSN, as well, and limit access to it. ...david --- David Raistrick Systems Administrator - Global Technology Associates, Inc [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[email protected]
