I've been using dnsmasq myself on a list server, with DHCP disabled, and configured to answer only localhost, for caching. The stock package seems limited to 10,000 entries BTW. But it seemed fairly bug-free as opposed to nscd, and simple to setup unlike BIND.
Gladly switch to something else. Thanks for mentioning unbound I had never heard of this before. ________________________________________ From: Nick Howitt <n...@howitts.co.uk> Sent: Wednesday, May 25, 2016 11:11:24 AM To: David Jones; SA-Users Subject: Re: Odd results when using whitelisting This thread is so fragmented now I am not sure which message to reply to. I've now installed unbound and configured dnsmasq to hand its DNS queries to unbound on port 1053. It looks like I could stop dnsmasq from doing dns completely (by setting port to 0), but the ClearOS webconfig interfaces with hosts which I am not sure if unbound works with, and, in any case, changing hosts through the webconfig triggers a dnsmasq reload rather than an unbound reload, so I can have dnsmasq handling the LAN (hosts) then handing over to unbound for the WAN. Now I've done this, is there any chance of some help with the main bit of my original query which is why do some whitelisted e-mails not get X-Spam headers when others do. Sorry to all for using html e-mails. Some lists don't mind them and I generally prefer them so use them by default. This should appear in plain-text only. On 25/05/2016 17:52, David Jones wrote: >> From: Bill Cole <sausers-20150...@billmail.scconsult.com> >> Sent: Wednesday, May 25, 2016 10:09 AM >> To: SA-Users >> Subject: Re: Odd results when using whitelisting >> On 24 May 2016, at 15:58, David Jones wrote: >>> Dnsmasq is a very powerful DNS server > I meant that it has lots of options and can do some pretty slick > stuff. It can handle a heavy load too. It's used all over the place > not just in home routers / blue plastic boxes. > >> LOL. Its man page (see >> http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) opens with >> the implied admission that it isn't even a "real" DNS server: which it >> isn't. It's a bloatware DNS proxy. For many years its default >> configuration made it an open resolver with no mitigation for DNS >> amplification attacks and it is still being distributed that way by some >> packagers. >> BIND is a "very powerful" DNS server. It also sucks much less than it >> used to but has such a rococo feature set that it probably shouldn't be >> used by anyone who doesn't treat DNS as an artistic medium. Using it for >> straightforward caching and autonomous recursive resolution is a >> widespread practice in the same way that using full-size SUV's for >> suburban commuting is a widespread practice. >> Unbound is a very good recursive resolution and caching DNS server, >> which is the functionality one actually needs on a modern mail server >> (or on the same physical LAN) to keep DNS from being a bottleneck. >> Because it is not an authoritative server, it lacks much of BIND's >> "power" along with most of the features that have been involved in the >> last dozen or so BIND vulnerabilities. > I prefer PowerDNS recursor over BIND and Unbound which is definitely > a very powerful DNS recursive server. Dnsmasq could be setup to forward > to pdns-recursor to solve this problem. > >>> so I am sure it can be configured to do full recursive lookups > Ok. I was wrong. > >> See the cited man page, which almost clearly says otherwise: >> Dnsmasq is a DNS query forwarder: it it [sic] not capable of >> recursively >> answering arbitrary queries starting from the root servers >> For its design target, Dnsmasq is an acceptable hack: a local DNS cache >> for small routers serving typical home networks that also does DHCP. It >> simply isn't fit for a mail server using modern anti-spam measures, not >> just because it must forward to a real DNS server on the other side of a >> WAN link and usually at least 2 routing hops which is probably >> URIBL_BLOCKED anyway, but also because it is normally run on devices >> that have very tight memory constraints, limiting its cache. > The OP wants to continue to use dnsmasq because it's integrated > into his distro tightly so I recommend he setup a recursive DNS server > like pdns-recursor, BIND, unbound, etc. on a different port and forward > dnsmasq to it. I expect his mail flow is very light so this will work fine.
