Re: spamassassin and caching nameservers
On Tue, 23 Aug 2016, Alex wrote: Hi, On Mon, Aug 22, 2016 at 11:52 PM, Bill Colewrote: On 22 Aug 2016, at 21:15, Alex wrote: Is it a full-fledged nameserver, suitable enough for MX, A, TXT, queries, etc for this purpose? Nope. rbldnsd is only an authoritative server and does not do any resolution via other servers or caching of records for which it is not authoritative. Some of the confusion about rbldnsd MIGHT stem from the following page: https://wiki.apache.org/spamassassin/CachingNameserver Specifically the section: Installing rbldnsd as a Caching Nameserver The caching there isn't really caching. It's serving from local copies of rsynced blacklists. It doesn't help that the page which it links to for a guide, is hosted on a server that is down. -- Kim Roar Foldøy Hauge Event:Presse - The Gathering 2016 webmas...@samfunnet.no Root@HC,HX,JH,LZ,OT,P,VH
Re: spamassassin and caching nameservers
Hi, On Mon, Aug 22, 2016 at 11:52 PM, Bill Colewrote: > On 22 Aug 2016, at 21:15, Alex wrote: > >> Is it a full-fledged nameserver, suitable enough for MX, A, TXT, >> queries, etc for this purpose? > > Nope. rbldnsd is only an authoritative server and does not do any resolution > via other servers or caching of records for which it is not authoritative. > > If you have some solid reason to believe that the problem is BIND (which > seems unlikely to me...) it might be a good idea to analyze exactly what the > mechanics of the problem are and pick alternative software which is designed > to be a caching recursive resolver AND which won't have exactly the same > problem(s). Yes, I'm learning that about rbldnsd now too. I also agree about bind - it's always performed well, and it's a perfectly robust box that it was running on, so I confused about the problem. I also really didn't want to introduce another application unique to this one box. It looks like I've isolated the problem down to a configuration error on the system that was making one of the backup nameservers unreachable, resulting in some query timeouts. Thanks, Alex
Re: spamassassin and caching nameservers
On 22 Aug 2016, at 21:15, Alex wrote: Is it a full-fledged nameserver, suitable enough for MX, A, TXT, queries, etc for this purpose? Nope. rbldnsd is only an authoritative server and does not do any resolution via other servers or caching of records for which it is not authoritative. If you have some solid reason to believe that the problem is BIND (which seems unlikely to me...) it might be a good idea to analyze exactly what the mechanics of the problem are and pick alternative software which is designed to be a caching recursive resolver AND which won't have exactly the same problem(s). One example of a pure caching recursive resolver is Unbound. It might meet your needs and it definitely is simpler to configure than BIND because it (like rbldnsd) is focused on a narrow subset of the broad range of functions done by things we call nameservers, whereas BIND is designed to do anything anyone might reasonably want a nameserver to do. I run mail systems using a mix of Unbound and BIND for local caching, and I can't see any reason to believe that BIND performs objectively worse than Unbound in that role. One nice thing about BIND is that you can make it log profusely so that you can figure out whee the delays are in doing a particular query. My bet would be that what you're seeing isn't BIND being slow, but rather an external issue. 2 common problems: 1. Live IPv6 interfaces on a machine with no or very poor IPv6 connectivity. In this circumstance, BIND running without the "-4" option (or Unbound with its default do-ip6=yes) will sometimes try to query an IPv6 authoritative nameserver for a name, eventually time out and then try an IPv4 nameserver. This is particularly pernicious in circumstances where you have one hop of IPv6 connectivity but your provider doesn't really have robust IPv6 connectivity and so you can't get to some places, often intermittently and variably. 2. Many cable providers these days hijack DNS queries by default for mostly sleazy but perfectly legal reasons, often justifying the practice with hand-waving about security (i.e. saving users from themselves by not resolving the names of miscreant domains.) This causes direct intentional breakage that often manifests as queries that time out (they should 'SERVFAIL' "bad" names but some do not.) It also can cause bottlenecks at the provider's hijacking routers and/or DNS servers (particularly during peak times) exacerbated by UDP being unreliable by design. Could BIND itself be the culprit? Sure, it COULD, but it's not a good default scapegoat for sporadic timeouts in a local caching resolver.
Re: spamassassin and caching nameservers
Not sure if this helps but I use bind dlz with a mysql back-end as DNSBL of last resort. We get the IP addresses from honeypot emails, and it works pretty good. I have a daemon running in the background that uses a few intermediary tables with metrics like last seen, rate, total count, etc.. to make the final zone table which Sendmail queries (or SA if you wish). http://bind-dlz.sourceforge.net/mysql_driver.html How you populate the backend table is up to you. I’m sure there are lists you can download to populate the data, mitigating the need to make the DNS query, but I don’t use this as the first line of defense, it is our last line of defense before we engage SA. On Aug 22, 2016, at 7:04 PM, Rob McEwen> wrote: On 8/22/2016 9:15 PM, Alex wrote: Has anyone configured it as a local caching nameserver, and if so, could you share your config? Correct me if I'm wrong... but... I'm almost positive that rbldnsd acts ONLY as an authoritative name server, and not ever as a caching name server. I don't think there is functionality to either fetch root hints or to do catch-all forwarding to an upstream DNS server for just any host names. Instead, it only serves up the zones that it is specifically told to serve at startup, using the physical source data files to which those zones point. It was designed from the ground up only to serve as a dumbed down locally hosted DNS, only for serving DNSBLs where the data files are found locally. It makes up for the lack of more extensive DNS features with blazing speed and very low memory overhead. -- Rob McEwen
Re: spamassassin and caching nameservers
On 8/22/2016 9:15 PM, Alex wrote: Has anyone configured it as a local caching nameserver, and if so, could you share your config? Correct me if I'm wrong... but... I'm almost positive that rbldnsd acts ONLY as an authoritative name server, and not ever as a caching name server. I don't think there is functionality to either fetch root hints or to do catch-all forwarding to an upstream DNS server for just any host names. Instead, it only serves up the zones that it is specifically told to serve at startup, using the physical source data files to which those zones point. It was designed from the ground up only to serve as a dumbed down locally hosted DNS, only for serving DNSBLs where the data files are found locally. It makes up for the lack of more extensive DNS features with blazing speed and very low memory overhead. -- Rob McEwen
Re: spamassassin and caching nameservers
For what it's worth I use PowerDNS for a recursive nameserver and happy with it. Very easy to set up. On 08/22/16 18:15, Alex wrote: Hi all, I've just set up spamassassin on a cable connection that appears to have sporadic DNS timeouts using bind. It shouldn't be so slow that queries timeout, but apparently they are. I'm hoping rbldnsd would provide that additional responsiveness needed. I've set up rbldnsd before, to be used as a way to query a local RBL. Has anyone configured it as a local caching nameserver, and if so, could you share your config? I'd like it to listen on localhost/53 in place of bind and I would think I would need the root zones in there somewhere, but there doesn't appear to be many examples of doing this out there to reference. Is it a full-fledged nameserver, suitable enough for MX, A, TXT, queries, etc for this purpose? Thanks, Alex -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
spamassassin and caching nameservers
Hi all, I've just set up spamassassin on a cable connection that appears to have sporadic DNS timeouts using bind. It shouldn't be so slow that queries timeout, but apparently they are. I'm hoping rbldnsd would provide that additional responsiveness needed. I've set up rbldnsd before, to be used as a way to query a local RBL. Has anyone configured it as a local caching nameserver, and if so, could you share your config? I'd like it to listen on localhost/53 in place of bind and I would think I would need the root zones in there somewhere, but there doesn't appear to be many examples of doing this out there to reference. Is it a full-fledged nameserver, suitable enough for MX, A, TXT, queries, etc for this purpose? Thanks, Alex