Am 16.09.2015 um 15:22 schrieb Marc Richter:
All this is true. As you already pointed out in a previous post, resolving is quite slow on that host. I have no influence on the networking arround that box. So I did not want other things starting to go slow by this.
well, and there unbound with "cache-min-ttl: 3600" on 127.0.0.1 will save you a ton of DNS requests outside your network for repeatly hammering clients / urls, the ones which ar enot very active are most likely in no cache anyways
"cache-min-ttl" is AFAIK a unbound-only feature because it violates RFC's but in case of a mailserver it's your decision and if you don#t set it for days normally not a problem
you just need to outweight caching/timing and how much junk slips because you cache a NXDOMAIN for a DNSBL/URIBL while 10 minutes later it may be listed
you need also to look very careful if it always is that slow or just for some domains - the slowdown can also be caused by the DNS server responsible for a domain/PTR-zone and you would only benefit from the ISP cache if another user already asked the same question there, if not you have to wait the same time because the ISP cache can't make the SOA server faster
Am 16.09.2015 um 13:43 schrieb Reindl Harald:Am 16.09.2015 um 13:38 schrieb Marc Richter:Am 16.09.2015 um 11:41 schrieb Axb:Although, the intended setup with exemptions by defining empty forwarders for DNSBL zones was not my idea - this scenario is described on the SA wiki as a working solution: http://wiki.apache.org/spamassassin/CachingNameserver#Non-forwarding This seems to not be working, so I'm heading for this ML to find out why.are you doing this: zone "multi.uribl.com" { type forward; forward first; forwarders {}; }; if yes try adding: zone "uribl.com" { type forward; forward first; forwarders {}; };looks like this is it! I changed this as suggested and send myself some spams. The DNSBL Checks are working now, Thank you :)you need to maintain this everytime domains / subdomains are changing and probably new lists are added - you need to take care about all of this when rule-updates arrive * what about barracuda RBL * what about mailspike both used in SA and not mentioned there a local unbound cache with 64-128 MB RAM and a minimal TTL of 10 minutes would save you a lot of headache and result in even better caching
-- Reindl Harald the lounge interactive design GmbH A-1060 Vienna, Hofmühlgasse 17 CTO / CISO / Software-Development m: +43 (676) 40 221 40, p: +43 (1) 595 3999 33 icq: 154546673, http://www.thelounge.net/ http://www.thelounge.net/signature.asc.what.htm
signature.asc
Description: OpenPGP digital signature
