Hi, We are currently considering spamdyke for use in our network. One thing that caused most trouble so far is the way spamdyke does rbl queries and the way these queries interact with dnscache[1] and rbldns[2].
The issue we are having is caused by the way rbldns reacts to different types of DNS queries. According to it's documentation: "rbldns rejects inverse queries, non-Internet-class queries, truncated packets, packets that contain anything other than a single query, query types other than A, TXT, or *, and queries for domains outside $BASE." What does that mean? Let's see: If I send different type of dns queries to rbldns directly: --- ; <<>> DiG 9.5.0-P2 <<>> a 4.3.2.1.rbl.example.com ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34567 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;4.3.2.1.rbl.example.com. IN A ;; Query time: 137 msec --- --- ; <<>> DiG 9.5.0-P2 <<>> txt 4.3.2.1.rbl.example.com ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62064 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;4.3.2.1.rbl.example.com. IN TXT ;; Query time: 139 msec --- --- ; <<>> DiG 9.5.0-P2 <<>> cname 4.3.2.1.rbl.example.com ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 63366 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;4.3.2.1.rbl.example.com. IN CNAME ;; Query time: 137 msec --- So, rbldns responds with NXDOMAIN for A and TXT queries and with REFUSED for CNAME queires. But it seems dnscache doesn't like the REFUSED response and retries a few times thus leading to some delay. See what happens when requests are sent to the dnscache: --- ; <<>> DiG 9.5.0-P2 <<>> a 4.3.2.1.rbl.example.com ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1671 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;4.3.2.1.rbl.example.com. IN A ;; Query time: 142 msec --- --- ; <<>> DiG 9.5.0-P2 <<>> txt 4.3.2.1.rbl.example.com ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62372 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;4.3.2.1.rbl.example.com. IN TXT ;; Query time: 139 msec --- --- ; <<>> DiG 9.5.0-P2 <<>> +time=15 cname 4.3.2.1.rbl.example.com ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63647 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;4.3.2.1.rbl.example.com. IN CNAME ;; Query time: 11440 msec --- It quickly relays A and TXT reponses, but REFUSED is translated to SERVFAIL and it took 11 sec. We did set dns-timeout-secs=3 in spamdyke.conf but still, because we have 2 rbls, smtp sessions were delayed by about 6 seconds. Currently we have worked around this issue by using rblsmtpd[3] in front of spamdyke and we are content with this solution. Nevertheless it'd be nice if you can choose the type of queries to be sent to a particular rbl server. Current behaviour is a bit wasteful. [1] http://cr.yp.to/djbdns/dnscache.html [2] http://cr.yp.to/djbdns/rbldns.html [3] http://cr.yp.to/ucspi-tcp/rblsmtpd.html
signature.asc
Description: OpenPGP digital signature
_______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
