On Mar 15, 2009, at 11:27 AM, Damon Miller wrote:
We changed the server to use OpenDNS servers and all's well.
Thanks again for the help.
Be careful with OpenDNS: They return false positives, e.g.:
www.abcdefghijklmnop12345.com.
Server: resolver1.opendns.com
Address: 208.67.222.222
Non-authoritative answer:
Name: www.abcdefghijklmnop12345.com
Address: 208.67.217.132
This is intended to direct queries for non-existent URLs to OpenDNS's
servers. I can't guarantee this will interfere with DNS blacklist
operation, but it may. The blacklist relies on NXDOMAIN responses to
indicate that a server is "safe". As a result, you may end up
blacklisting every server on the Internet since OpenDNS will never
indicate a lookup failure. Perhaps someone else can confirm this.
Noel already addressed this false concern:
http://marc.info/?l=postfix-users&m=123612736717968&w=2
OpenDNS will not blindly redirect DNS queries that look like DNSBL
requests. Notice the difference:
% dig @resolver1.opendns.com www.abcdefghijklmnop12345.com +short
208.69.32.132
% dig @resolver1.opendns.com 40.30.20.10.www.abcdefghijklmnop12345.com
+short
%
--
Sahil Tandon <sa...@tandon.net>
