Re: DNS Terminology

On Fri, 23 Sep 2016, Lindsay Haisley wrote: On Fri, 2016-09-23 at 19:03 -0400, listsb-spamassas...@bitrate.net wrote: consider that, to do the work described as "forwarding" in many of these references, the nameserver must perform a recursive query [e.g. it must perform a query with the rd bit

Re: DNS Terminology

On Fri, 2016-09-23 at 19:03 -0400, listsb-spamassas...@bitrate.net wrote: > consider that, to do the work described as "forwarding" in many of > these references, the nameserver must perform a recursive query [e.g. > it must perform a query with the rd bit set]. "A forwarding DNS server offers

Re: DNS Terminology

On Fri, 2016-09-23 at 17:10 -0400, btb wrote: > > http://serverfault.com/questions/661821/what-s-the-difference-betwe > en-recursion-and-forwarding-in-bind > > this is bad information.  it's unfortunate it has a green check mark  > next to it.  at least it only has a 6 though. So why is this bad

Re: Spam by IP-address? Spamassassin with geoiplookup?

On Fri, 2016-09-23 at 20:21 -0400, Bill Cole wrote: > On a more theoretical level, the  > fact that BIND is able to do virtually anything that anyone would ever  > want to do with a DNS server means that it is has a broader potential  > attack surface in itself and is a richer prize if hijacked,

Re: Spam by IP-address? Spamassassin with geoiplookup?

On Fri, 2016-09-23 at 20:21 -0400, Bill Cole wrote: Almost every week on this list you can see examples of people who are  > nominally and operationally sysadmins who have followed poor config  > advice found in dubious corners of the net or even on stale pages of the  > SA wiki, and the same

Re: Spam by IP-address? Spamassassin with geoiplookup?

On Fri, 2016-09-23 at 20:21 -0400, Bill Cole wrote: > On 23 Sep 2016, at 16:10, Lindsay Haisley wrote: > > > > > On Fri, 2016-09-23 at 15:28 -0400, Bill Cole wrote: > > > > > > As much as I love BIND (no, seriously, I do) it's very hard to  > > > recommend  > > > it as the first choice for a

Re: Spam by IP-address? Spamassassin with geoiplookup?

On 23 Sep 2016, at 16:18, Greg Troxel wrote: > "Bill Cole" writes: > >> On 22 Sep 2016, at 23:24, John Hardin wrote: >> >>> As far as I understand it, dnsmasq cannot be used for local >>> recursion; it's purely a lightweight local DNS cache layer. >> >>

Re: Spam by IP-address? Spamassassin with geoiplookup?

On 23 Sep 2016, at 16:10, Lindsay Haisley wrote: On Fri, 2016-09-23 at 15:28 -0400, Bill Cole wrote: As much as I love BIND (no, seriously, I do) it's very hard to recommend  it as the first choice for a simple recursive resolver. Setting up bind as a "simple recursive resolver" is

Re: DNS Terminology

> On Sep 23, 2016, at 17.34, Lindsay Haisley wrote: > > On Fri, 2016-09-23 at 17:10 -0400, btb wrote: >> On 2016.09.23 16.16, Lindsay Haisley wrote: >>> >>> On Fri, 2016-09-23 at 18:43 +0100, RW wrote: Right, but the question here is why isn't a forwarding server

Re: Spam by IP-address? Spamassassin with geoiplookup?

On Fri, 23 Sep 2016, Greg Troxel wrote: "Bill Cole" writes: On 22 Sep 2016, at 23:24, John Hardin wrote: As far as I understand it, dnsmasq cannot be used for local recursion; it's purely a lightweight local DNS cache layer. Your understanding is

Re: DNS Terminology

On Fri, 2016-09-23 at 17:10 -0400, btb wrote: > On 2016.09.23 16.16, Lindsay Haisley wrote: > > > > On Fri, 2016-09-23 at 18:43 +0100, RW wrote: > > > > > > Right, but the question here is why isn't a forwarding server also a > > > recursive server? Why is the use of iteration the defining

Re: DNS Terminology

On 2016.09.23 16.16, Lindsay Haisley wrote: On Fri, 2016-09-23 at 18:43 +0100, RW wrote: Right, but the question here is why isn't a forwarding server also a recursive server? Why is the use of iteration the defining feature of a recursive server and not the support for recursion.

Re: Spam by IP-address? Spamassassin with geoiplookup?

"Bill Cole" writes: > On 22 Sep 2016, at 23:24, John Hardin wrote: > >> As far as I understand it, dnsmasq cannot be used for local >> recursion; it's purely a lightweight local DNS cache layer. > > Your understanding is correct; dnsmasq is unfit for

Re: DNS Terminology

On Fri, 2016-09-23 at 18:43 +0100, RW wrote: > Right, but the question here is why isn't a forwarding server also a > recursive server? Why is the use of iteration the defining feature of > a recursive server and not the support for recursion.

Re: DNS Terminology

Lindsay Haisley writes: > Huh? So what's the problem with "recursion"? That's the name of the > boolean configuration option in bind9. It's about as descriptive and > clear a word as it can be. > > options { > directory "/var/cache/bind"; > recursion yes; >    

Re: Spam by IP-address? Spamassassin with geoiplookup?

On Fri, 2016-09-23 at 15:28 -0400, Bill Cole wrote: > As much as I love BIND (no, seriously, I do) it's very hard to recommend  > it as the first choice for a simple recursive resolver. Setting up bind as a "simple recursive resolver" is simplicity itself. acl goodclients { 1.2.3.0/24;    

Re: DNS Terminology

On Fri, 2016-09-23 at 21:25 +0200, Axb wrote: > On 09/23/2016 09:11 PM, RW wrote: > > > > Whatever the right and wrongs of this I think the term recursive is > > best avoided in this list. "Non-forwarding" is a lot clearer IMO. > Can we agree to: > "servers running SA should use a local non

Re: Spam by IP-address? Spamassassin with geoiplookup?

On 22 Sep 2016, at 23:24, John Hardin wrote: As far as I understand it, dnsmasq cannot be used for local recursion; it's purely a lightweight local DNS cache layer. Your understanding is correct; dnsmasq is unfit for service as a resolver for a mail server because it cannot perform

Re: DNS Terminology

On 09/23/2016 09:11 PM, RW wrote: Whatever the right and wrongs of this I think the term recursive is best avoided in this list. "Non-forwarding" is a lot clearer IMO. Can we agree to: "servers running SA should use a local non forwarding resolver". That should rule out dnsmasq.

Re: DNS Terminology

On Fri, 23 Sep 2016 14:12:30 -0400 Bill Cole wrote: > I have never seen the word "iterative" used to describe DNS recursion > or any other DNS resolution algorithm except in the context of a > resolver having multiple servers that it can query at a particular > step of the resolution process

Re: DNS Terminology

Huh, why are people getting hung up on this? The distinction is based on who the DNS server will consult to provide a response to a question. An authoritative server consults its local authoritative zone database. It may or may not be willing to consult someone else for questions not in its

Re: DNS Terminology

On Fri, 23 Sep 2016, RW wrote: On Fri, 23 Sep 2016 16:57:54 + Shawn Bakhtiar wrote: Recursive server does lookups iteratively. Right, but the question here is why isn't a forwarding server also a recursive server? It may or may not be, see "forward first". I DNS server may do both.

Re: Spam by IP-address? Spamassassin with geoiplookup?

Am 23.09.2016 um 20:30 schrieb John Hardin: On Fri, 23 Sep 2016, li...@rhsoft.net wrote: Am 23.09.2016 um 05:24 schrieb John Hardin: On Thu, 22 Sep 2016, Thomas Barth wrote: > Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: > > > > URIBL_BLOCKED shows you are using still a dns-forwarder

Re: DNS Terminology

On Fri, 23 Sep 2016, RW wrote: On Thu, 22 Sep 2016 20:24:21 -0700 (PDT) John Hardin wrote: Lists shouldn't have said "caching", that confuses the issue. Caching and recursion are two different, unrelated pieces. Focus on the "recursion" and "no forwarding" parts of that recommendation.

Re: DNS Terminology

On 2016.09.23 12.03, RW wrote: On Thu, 22 Sep 2016 20:24:21 -0700 (PDT) John Hardin wrote: Lists shouldn't have said "caching", that confuses the issue. Caching and recursion are two different, unrelated pieces. Focus on the "recursion" and "no forwarding" parts of that recommendation.

Re: DNS Terminology

On 23 Sep 2016, at 13:43, RW wrote: On Fri, 23 Sep 2016 16:57:54 + Shawn Bakhtiar wrote: Recursive server does lookups iteratively. Right, but the question here is why isn't a forwarding server also a recursive server? Because a forward-only DNS server does not resolve queries by way

Re: Spam by IP-address? Spamassassin with geoiplookup?

On Fri, 23 Sep 2016, li...@rhsoft.net wrote: Am 23.09.2016 um 05:24 schrieb John Hardin: On Thu, 22 Sep 2016, Thomas Barth wrote: > Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: > > > > URIBL_BLOCKED shows you are using still a dns-forwarder and so won't > > get > > results from a

Re: DNS Terminology

Am 23.09.2016 um 19:57 schrieb RW: On Fri, 23 Sep 2016 13:13:19 -0400 Sean Greenslade wrote: On Fri, Sep 23, 2016 at 05:03:00PM +0100, RW wrote: I've been wondering whether recursive is actually the correct term. As I understand it there are two types of DNS lookup: 1. Iterative - where

Re: DNS Terminology

On 23 Sep 2016, at 12:03, RW wrote: On Thu, 22 Sep 2016 20:24:21 -0700 (PDT) John Hardin wrote: Lists shouldn't have said "caching", that confuses the issue. Caching and recursion are two different, unrelated pieces. Focus on the "recursion" and "no forwarding" parts of that recommendation.

Re: DNS Terminology

On Fri, 23 Sep 2016 13:13:19 -0400 Sean Greenslade wrote: > On Fri, Sep 23, 2016 at 05:03:00PM +0100, RW wrote: > > I've been wondering whether recursive is actually the correct term. > > > > As I understand it there are two types of DNS lookup: > > > > 1. Iterative - where results are found

Re: DNS Terminology

On Fri, 23 Sep 2016 16:57:54 + Shawn Bakhtiar wrote: > Recursive server does lookups iteratively. Right, but the question here is why isn't a forwarding server also a recursive server? Why is the use of iteration the defining feature of a recursive server and not the support for recursion.

Re: DNS Terminology

On Fri, Sep 23, 2016 at 05:03:00PM +0100, RW wrote: > I've been wondering whether recursive is actually the correct term. > > As I understand it there are two types of DNS lookup: > > 1. Iterative - where results are found by working down through > multiple servers from the root servers. >

Re: DNS Terminology

A forwarding name server simply forwards (proxies) the query to an upstream recursive server. On Sep 23, 2016, at 9:03 AM, RW > wrote: On Thu, 22 Sep 2016 20:24:21 -0700 (PDT) John Hardin wrote: Lists shouldn't have said

Re: Spam by IP-address? Spamassassin with geoiplookup?

Am 23.09.2016 um 10:47 schrieb li...@rhsoft.net: that was one single line containing: * don't use dns forwarding * don't use dnsmasq (because it can only do forarding) DNS-Resolver with Bind9 is configured now and nameserver is 127.0.0.1. No URIBL_BLOCKED=0.001 in Spam-Status anymore.

DNS Terminology

On Thu, 22 Sep 2016 20:24:21 -0700 (PDT) John Hardin wrote: > Lists shouldn't have said "caching", that confuses the issue. Caching > and recursion are two different, unrelated pieces. > > Focus on the "recursion" and "no forwarding" parts of that > recommendation. I've been wondering whether

Re: Spam by IP-address? Spamassassin with geoiplookup?

Am 23.09.2016 um 10:43 schrieb Thomas Barth: Am 23.09.2016 um 10:25 schrieb li...@rhsoft.net: Am 22.09.2016 um 21:58 schrieb Bowie Bailey: On 9/22/2016 3:40 PM, Thomas Barth wrote: Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: fix that - use a local caching resolver with *no

Re: Spam by IP-address? Spamassassin with geoiplookup?

Am 23.09.2016 um 10:25 schrieb li...@rhsoft.net: Am 22.09.2016 um 21:58 schrieb Bowie Bailey: On 9/22/2016 3:40 PM, Thomas Barth wrote: Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do

Re: Spam by IP-address? Spamassassin with geoiplookup?

Am 22.09.2016 um 21:58 schrieb Bowie Bailey: On 9/22/2016 3:40 PM, Thomas Barth wrote: Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver for me that topic

Re: Spam by IP-address? Spamassassin with geoiplookup?

Am 23.09.2016 um 05:24 schrieb John Hardin: On Thu, 22 Sep 2016, Thomas Barth wrote: Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get results from a lot of blacklists fix that - use a local caching resolver with