>From: Bill Cole <sausers-20150...@billmail.scconsult.com> >Sent: Wednesday, May 25, 2016 10:09 AM >To: SA-Users >Subject: Re: Odd results when using whitelisting
>On 24 May 2016, at 15:58, David Jones wrote: >> Dnsmasq is a very powerful DNS server I meant that it has lots of options and can do some pretty slick stuff. It can handle a heavy load too. It's used all over the place not just in home routers / blue plastic boxes. >LOL. Its man page (see >http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) opens with >the implied admission that it isn't even a "real" DNS server: which it >isn't. It's a bloatware DNS proxy. For many years its default >configuration made it an open resolver with no mitigation for DNS >amplification attacks and it is still being distributed that way by some >packagers. >BIND is a "very powerful" DNS server. It also sucks much less than it >used to but has such a rococo feature set that it probably shouldn't be >used by anyone who doesn't treat DNS as an artistic medium. Using it for >straightforward caching and autonomous recursive resolution is a >widespread practice in the same way that using full-size SUV's for >suburban commuting is a widespread practice. >Unbound is a very good recursive resolution and caching DNS server, >which is the functionality one actually needs on a modern mail server >(or on the same physical LAN) to keep DNS from being a bottleneck. >Because it is not an authoritative server, it lacks much of BIND's >"power" along with most of the features that have been involved in the >last dozen or so BIND vulnerabilities. I prefer PowerDNS recursor over BIND and Unbound which is definitely a very powerful DNS recursive server. Dnsmasq could be setup to forward to pdns-recursor to solve this problem. >> so I am sure it can be configured to do full recursive lookups Ok. I was wrong. >See the cited man page, which almost clearly says otherwise: > Dnsmasq is a DNS query forwarder: it it [sic] not capable of >recursively > answering arbitrary queries starting from the root servers >For its design target, Dnsmasq is an acceptable hack: a local DNS cache >for small routers serving typical home networks that also does DHCP. It >simply isn't fit for a mail server using modern anti-spam measures, not >just because it must forward to a real DNS server on the other side of a >WAN link and usually at least 2 routing hops which is probably >URIBL_BLOCKED anyway, but also because it is normally run on devices >that have very tight memory constraints, limiting its cache. The OP wants to continue to use dnsmasq because it's integrated into his distro tightly so I recommend he setup a recursive DNS server like pdns-recursor, BIND, unbound, etc. on a different port and forward dnsmasq to it. I expect his mail flow is very light so this will work fine.
