Results 1 to 7 of 7

Thread: dnsmasq and uribls

  1. #1
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    10

    Default dnsmasq and uribls

    I've started to use the dnsmasq split DNS setup on new Zimbra servers now because of how much simpler it is than the bind based setup and how much less likely I have been to have missed a step or end up having trouble with it.

    However, it appears that something I've done has changed the way that DNSBL lookups are working, such that on the servers that I'm using the bind setup, I'm getting URIBL_BLACK, RED, and GREY rules triggering properly, but on the servers I'm using dnsmasq with, I'm instead getting URIBL_BLOCK, which is a SpamAssassin "rule" that simply indicates that my lookups are being blocked by the URIBL guys. Both of the servers in question are ZCS 8.0.4 on RHEL 6.4. One is NE, the other is OSS. This has had a substantially negative effect on my ability to block spam. I've followed the Split DNS article for dnsmasq, I'm not having any mail transport issues, and I've successfully checked everything in the "verify" section of the Split DNS article.

    One difference I've noticed between the bind setups and the dnsmasq setups is that the dnsmasq setup actually wants me to put in an upstream DNS server. The bind setup doesn't. My ISP and/or Google's DNS probably are blocked from doing URIBL lookups because of how heavily they're used by so many people. Any way I can configure dnsmasq to keep Zimbra happy and the DNSBLs happy at the same time?

  2. #2
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    10

    Default

    More information, from Man page of DNSMASQ

    "Dnsmasq is a DNS query forwarder: it it not capable of recursively answering arbitrary queries starting from the root servers but forwards such queries to a fully recursive upstream DNS server which is typically provided by an ISP."

    If this is the case, and nobody has a good workaround, we should quit recommending in the wiki that people use dnsmasq unless they have their own recursive DNS server on site or they don't care about DNSBL lookups.

  3. #3
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by bjquinn View Post
    If this is the case, and nobody has a good workaround, we should quit recommending in the wiki that people use dnsmasq unless they have their own recursive DNS server on site or they don't care about DNSBL lookups.
    Anyone installing DNSMASQ should be aware of that feature, it is described as a "....caching DNS server." not a recursor. If you think there should be a warning about it then feel free to edit the Split DNS wiki.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    10

    Default

    Happy to add that. Am I correct, then, that if you use dnsmasq you should have your own recursive DNS server (preferably one not used by thousands or millions of other people, which has therefore blown various DNSBL limits for that server), and there's no other workaround?

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by bjquinn View Post
    Happy to add that. Am I correct, then, that if you use dnsmasq you should have your own recursive DNS server (preferably one not used by thousands or millions of other people, which has therefore blown various DNSBL limits for that server), and there's no other workaround?
    I'm not really sure that it doesn't do what's needed - I've never used DNSMASQ and I prefer a real DNS Server & Recursor installed (PowerDNS is my preferred solution for performance and security). I'd always assumed it forwarded the requests to either the Root DNS servers or ones specified in the resolv.conf - as I say, not being a user I can't comment on it's exact behaviour.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    10

    Default

    Ok. Thanks for the response. Looks pretty cut and dried. Barring a workaround suggested by someone else here, I'll go ahead and add a warning on the Split DNS wiki article.

  7. #7
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    10

    Default

    Also, when looking at the Split DNS article, I'm not sure the BIND setup as suggested will work with the DNSBLs that have rate limits either, since it includes...

    forwarders { <address of current DNS server> ; };

    ...in named.conf. Someone can correct me, but I believe that would create the same problem as described above with dnsmasq. If I'm right, then there's no configuration suggested in the Split DNS article that wouldn't result in broken DNSBL lookups. I'm happy to update the article, but I wanted to see if someone disagreed with me first.

Similar Threads

  1. Dnsmasq
    By glennbtn in forum Installation
    Replies: 3
    Last Post: 02-19-2013, 10:33 AM
  2. Replies: 1
    Last Post: 12-29-2012, 01:38 PM
  3. configurazione mx su server dnsmasq
    By xalex77 in forum Italian
    Replies: 4
    Last Post: 03-15-2012, 05:15 AM
  4. Split DNS and dnsmasq confustion
    By bishop05 in forum Installation
    Replies: 18
    Last Post: 02-14-2012, 04:07 PM
  5. DNSmasq / NAT
    By adou in forum Installation
    Replies: 5
    Last Post: 08-02-2008, 08:09 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •