A forward zone without a forward address gives SERVFAIL
But I was able to use
forward-zone:
name: "spamhaus.org"
forward-addr: 127.0.0.1@1053 # do not resolve spamhaus via public DNS
resolvers
Because I have a second non-forwarding unbound running on port 1053 for rspamd
already (which has more or less the same issue, but which — unlike postfix —
can be told to use a different name server itself)
The option to be able to set specific name servers becomes more and more useful
since name servers are more and more used as proof of control of domains or to
provide information (such as DNSBL) for domains).
Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>)
R&A IT Strategy <https://ea.rna.nl/> (main site)
Book: Chess and the Art of Enterprise Architecture <https://ea.rna.nl/the-book/>
Book: Mastering ArchiMate <https://ea.rna.nl/the-book-edition-iii/>
> On 5 Mar 2022, at 05:01, Noel Jones <njo...@megan.vbhcs.org> wrote:
>
>
> I think you configure unbound with another forward-zone: name:
> “zen.spamhaus.org” and then don’t list any forwarding addresses. That should
> turn off forwarding for that zone.
>
> A forum for your OS or for unbound will probably give an authoritative answer
>
>
> — Noel Jones
>
>> On Mar 4, 2022, at 7:32 PM, Gerben Wierda <gerben.wie...@rna.nl> wrote:
>>
>> I am already running my own unbound resolver.
>>
>> Van I configure my unbound in such a way that it forwards everything to
>> 9.9.9.9 (which is my setting so I can use its blocking) except DNS queries
>> for spamhaus.org <http://spamhaus.org/>?
>>
>> If not, I need some way to tell postfix to use another resolver than the
>> default one.
>>
>> Or I must forego the use of 9.9.9.9 and lose its DNS blocking of ‘evil’
>> hosts.
>>
>> G
>>
>>> On 4 Mar 2022, at 19:57, Noel Jones <njo...@megan.vbhcs.org
>>> <mailto:njo...@megan.vbhcs.org>> wrote:
>>>
>>>
>>> On 3/4/2022 11:58 AM, Gerben Wierda wrote:
>>>
>>>> Feb 27 06:02:19 mail postfix/dnsblog[46930]: addr 113.197.35.193 listed by
>>>> domain zen.spamhaus.org <http://zen.spamhaus.org/>
>>>> <http://zen.spamhaus.org <http://zen.spamhaus.org/>> as *127.255.255.254*
>>>
>>> This query was made on 27 Feb via a public DNS nameserver that is blocked
>>> by spamhaus.
>>>
>>>
>>>> Mar 04 18:44:25 mail postfix/dnsblog[88230]: addr 189.51.96.252 listed by
>>>> domain zen.spamhaus.org <http://zen.spamhaus.org/>
>>>> <http://zen.spamhaus.org <http://zen.spamhaus.org/>> as *127.0.0.4*
>>>
>>> This query on 04 Mar was made via a different DNS nameserver that was not
>>> blocked by spamhaus.
>>>
>>> If you're using a public DNS service, it's possible some of their back-end
>>> servers are blocked and some aren't, which will give you unpredictable
>>> results.
>>>
>>> To fix, insure you either use a local DNS nameserver installed on your
>>> computer, such as unbound, or sign up for the free (for low volume)
>>> Spamhaus Data Query Service
>>>
>>>
>>>
>>> -- Noel Jones
>>
