Re: Using a different DNS to ask zen.spamhaus.org for DNSBL info?

Fri, 22 Oct 2021 02:27:00 -0700 

Gerben Wierda:

My standard DNS forwards to cloud9 (9.9.9.9) because cloud9 blocks bad
actors.  But that means that DNSBL from spamhaus doesn?t work as the
query to comes from a public DNS server.


which bad actors you need to block from mail server?

On 22.10.21 01:09, Gerben Wierda wrote:

Actually, the whole question was based on a misunderstanding what was going 
wrong.

In my log I saw this and this was a false positive for DNSBL

Oct 21 11:15:35 mail smtp/smtpd[41623]: NOQUEUE: reject: RCPT from
mta-222-103.sparkpostmail.com[147.253.222.103]: 554 5.7.1 Service
unavailable; Client host [147.253.222.103] blocked using zen.spamhaus.org;
Error: open resolver; https://www.spamhaus.org/returnc/pub/74.63.25.250;
from=<msprvs1=18928J6ijWitt=bounces-1...@sp-mail.networkapp.eu>
to=<gerben.wie...@rna.nl> proto=ESMTP helo=<mta-222-103.sparkpostmail.com>

I wrongly concluded that this had to do with me using a forwarder in my DNS
resolver setup (unbound forwarding to a public resolver like 9.9.9.9), but
it had nothing to do with that.


oh, YES, it was exactly caused by that.  spamhaus and other DNS lists block
IP addresses that too many queries, and open resolvers do indeed send too
many queries.


What actually was the case that I had to update my main.cf from

postscreen_dnsbl_sites = zen.spamhaus.org

to

postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]

because spamhaus has added extra answers that are not about the IP checked,
but about DNSBL itself and the query.  What still eludes me is why this
false positive was not happening all the time but only now and then.  Most
of the time DNSBL worked fine,


this will stop you from blocking clients due to being blocked by spamhaus,
but it will not stop you from being blocked by spamhaus.


simply, don't forward DNS queries from mailserver to any public resolvers. 
Configure local resolver to do resolution by itself, most of DNS servers

(BIND, unbound, knot-resolver) can do that properly, I think that dnsmasq is
the one that can's (it's not designed to do that).

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm






















					Reply via email to