On 05/03/2022 19:26, Gerben Wierda wrote:
On 5 Mar 2022, at 18:23, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
On 05.03.22 12:43, Gerben Wierda wrote:
A forward zone without a forward address gives SERVFAIL
But I was able to use
forward-zone:
name: "spamhaus.org"
forward-addr: 127.0.0.1@1053 # do not resolve spamhaus via public DNS
resolvers
Because I have a second non-forwarding unbound running on port 1053 for rspamd
already (which has more or less the same issue, but which — unlike postfix —
can be told to use a different name server itself)
so, you have multiple SW installed that have problems with forwarding DNS, but
you insist on forwarding DNS?
Yes, because forwarding to quad9 (9.9.9.9) has advantages in that it will not
resolve known bad actors. This adds to the protection my users who use my DNS
resolver. The two who are having problems (postfix - DNSBL, and rspamd) are
exceptions to the rule. rspamd can be configured to use a different resolver
than the default resolver, postfix can’t.
For anyone who uses bind as their local resolver, this is a simplified
forwarding setup (file /etc/bind/named.conf.options):
options {
directory "/var/cache/bind";
// forwarding to Cloudflare and Quad9, alter per your preferences
forwarders { 1.1.1.1; 9.9.9.9; };
};
// Disable forwarding for DNSBL queries
zone "zen.spamhaus.org" { type forward; forwarders {}; };
// add further DNSBL zones to taste...
