RE: response-policy zones from spamhaus.org
Hi Tony, Many thanks for the hint. My mistake: no dot at the end in the domain name for the passthru statement. Kind regards Hans -- -Original Message- From: Tony Finch [mailto:d...@dotat.at] Sent: Monday, October 9, 2017 12:09 PM To: MAYER Hans <hans.ma...@iiasa.ac.at> Cc: bind-us...@isc.org Subject: Re: response-policy zones from spamhaus.org MAYER Hans <hans.ma...@iiasa.ac.at> wrote: > > I also tried to define these records in my own RPZ and hoping it has > higher priorities. It should work if you put your passthru RPZ before any blocking RPZs. A tangential aside... The ordering in a response-policy section can affect performance, as well as which policies take priority. I set `qname-wait-recurse no`, and I list RPZs that do not require recursion (because they only contain `qname` and `rpz-client-ip` triggers) before RPZs with unrestricted triggers. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Fitzroy: Easterly or northeasterly 4 or 5 in southeast, otherwise variable 3 or 4. Slight or moderate. Fair. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: response-policy zones from spamhaus.org
MAYER Hanswrote: > > I also tried to define these records in my own RPZ and hoping it has > higher priorities. It should work if you put your passthru RPZ before any blocking RPZs. A tangential aside... The ordering in a response-policy section can affect performance, as well as which policies take priority. I set `qname-wait-recurse no`, and I list RPZs that do not require recursion (because they only contain `qname` and `rpz-client-ip` triggers) before RPZs with unrestricted triggers. Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Fitzroy: Easterly or northeasterly 4 or 5 in southeast, otherwise variable 3 or 4. Slight or moderate. Fair. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: response-policy zones from spamhaus.org
On 07-10-2017 21.36, MAYER Hans wrote: > > Dear All, > > We are using response-policy zones as a service from spamhaus.org > This is used for web access as well as for SMTP ( incoming and outgoing ) > Actually this worked fine over years. > Now we have the situation if I dig www.airindia.in I get as result > > ;; ADDITIONAL SECTION: > bad-nameservers.rpz.spamhaus.org. 60 IN SOA need.to.know.only. > hostmaster.spamhaus.org. 1507403414 300 60 432000 60 > > This indicates that it is listed in the bad-nameservers.rpz.spamhaus.org > database from spamhaus.org which I have configured as a slave zone in my DNS > server. > Our employees are travelling a lot and therefore it is not acceptable that > the Indian Airline is not reachable. > > Such zones are defined as type slave. Therefore it’s not possible to update > such a zone. > I also tried to define these records in my own RPZ and hoping it has higher > priorities. But it isn’t. > Finally I tried a forward only zone for airindia.in to a server in my > environment which does not use RPZ. But this doesn’t work too. > > Any ideas how I could shade or overwrite the content of RPZ ? I would look at the mail server configuration. It might be possible to add a positive list in front of the spamhaus lookup. > > I am using BIND 9.11.2 > > > Kind regards > Hans > > — > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: "MALE BOVINE MANURE!!!" ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
response-policy zones from spamhaus.org
Dear All, We are using response-policy zones as a service from spamhaus.org This is used for web access as well as for SMTP ( incoming and outgoing ) Actually this worked fine over years. Now we have the situation if I dig www.airindia.in I get as result ;; ADDITIONAL SECTION: bad-nameservers.rpz.spamhaus.org. 60 IN SOA need.to.know.only. hostmaster.spamhaus.org. 1507403414 300 60 432000 60 This indicates that it is listed in the bad-nameservers.rpz.spamhaus.org database from spamhaus.org which I have configured as a slave zone in my DNS server. Our employees are travelling a lot and therefore it is not acceptable that the Indian Airline is not reachable. Such zones are defined as type slave. Therefore it’s not possible to update such a zone. I also tried to define these records in my own RPZ and hoping it has higher priorities. But it isn’t. Finally I tried a forward only zone for airindia.in to a server in my environment which does not use RPZ. But this doesn’t work too. Any ideas how I could shade or overwrite the content of RPZ ? I am using BIND 9.11.2 Kind regards Hans — ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users