Re: Specific DNS server
Le 22/04/2021 à 21:14, Sonic a écrit : You could run Postfix in a container (LXC) on the host. It would have it's own IP and it's own resolv.conf. Would'nt the chroot feature built in postfix sufficient for this ?
Re: Specific DNS server
- Message from Wietse Venema - Date: Thu, 22 Apr 2021 10:01:09 -0400 (EDT) From: Wietse Venema Subject: Re: Specific DNS server To: si...@simonandkate.net Cc: postfix-users@postfix.org Simon Wilson: Is there a way to make Postfix/postscreen use a specific DNS server? Edit /etc/resolv.conf. No kidding - Postfix uses the SYSTEM LIBRARY for DNS lookups, and the SYSTEM LIBRARY uses the resolv.conf file. Theree are no plans to re-implement this part of the SYSTEM LIBRARY in Postfix. Wietse Thank you. I have implemented unbound as the local nameserver, running in caching mode but with a stub-zone to refer to my network-wide server for local name resolution. Simon. -- Simon Wilson M: 0400 12 11 16
Re: Specific DNS server
You could run Postfix in a container (LXC) on the host. It would have it's own IP and it's own resolv.conf.
Re: Specific DNS server
>I was once I need to get exactly this. >I solved this by setting up my own nameserver at localhost, that >delegates >internal names to resolve by internal nameserver, and external ones to >resolve by external nameserver. It can be done pretty easy if you can >distinguish internal from external names by specific domain suffix(es). this is how it should be solved. Dnia 22.04.2021 o godz. 17:24:34 Benny Pedersen pisze: https://websistent.com/configure-bind-dns-split-view/ i dont know how to make rpz work with split views On 22.04.21 18:56, Jaroslaw Rafa wrote: I didn't mean split views. I meant to create different "type forward" zones in /etc/named.conf with different set of forwarders for different domain suffixes. But I don't know what to do if you have everything under the same domain suffix. this is funny because we usually recommend people running mailservers and/or spamfilters NOT to use forwarding DNS. perhaps you should use non-forwarding server/view for postfix/spamfilter resolution and forwarding server/view for other resolution. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 99 percent of lawyers give the rest a bad name.
Re: Specific DNS server
Dnia 22.04.2021 o godz. 17:24:34 Benny Pedersen pisze: > >I was once I need to get exactly this. > >I solved this by setting up my own nameserver at localhost, that > >delegates > >internal names to resolve by internal nameserver, and external ones to > >resolve by external nameserver. It can be done pretty easy if you can > >distinguish internal from external names by specific domain suffix(es). > > indeed :=) > > https://websistent.com/configure-bind-dns-split-view/ > > i dont know how to make rpz work with split views I didn't mean split views. I meant to create different "type forward" zones in /etc/named.conf with different set of forwarders for different domain suffixes. But I don't know what to do if you have everything under the same domain suffix. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Re: Specific DNS server
Dnia 22.04.2021 o godz. 09:33:04 @lbutlr pisze: > > What? /etc/hosts is processed before DNS, that is how adding adservers to > /etc/hosts blocks those adservers from being accessed. At least in Linux, it actually depends on the contents of file /etc/nsswitch.conf . If there's an entry like "hosts: files dns" in that file, then /etc/hosts is processed before DNS. If there is "hosts: dns files" then it's the other way - /etc/hosts file is consulted only when DNS is not available. It can even be "hosts: dns" in which case /etc/hosts file is not used at all, or "hosts: files" when only /etc/hosts is used and DNS is not used at all. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Re: Specific DNS server
On some OS the following code works - I use that for regression
testing when I need fake DNS data:
void
dns_setns(struct in_addr *ns, unsigned int port)
{
if ((_res.options & RES_INIT) == 0)
(void) res_init();
_res.nsaddr_list[0].sin_family = AF_INET;
_res.nsaddr_list[0].sin_addr = *ns;
if (port != 0)
_res.nsaddr_list[0].sin_port = htons(port);
_res.nscount = 1;
}
Re: Specific DNS server
On Thu, Apr 22, 2021 at 5:21 PM Benny Pedersen wrote: > On 2021-04-22 16:44, Marco Pizzoli wrote: > > > I am afraid you did not get my point. > > i dont know your solution then > > rpz and qname can be problematic > > https://labs.ripe.net/author/wouter_de_vries/making-the-dns-more-private-with-qname-minimisation/ > > > I needed to have Postfix to solve Internet DNS names, for obvious > > reasons. > > bind9 can have split dns views > > > At the same time, I needed to be able to solve Intranet DNS names: > > monitoring server, backup server, etc... > > dns split views is your frind there > > > Due also to some other constraints, I ended up relying on static > > entries in /etc/hosts. > > this file is only for when real dns server is down, not used when dns > server is up > > > It was at that time my best bad option. > > if you like more help please post more info on the real problem > I appreciate your effort to help, really, but we would probably go off-topic here. I just can add that the environment in which I was working had the original sin to use the same "internet" dns domain for both internet and intranet names. So a simple forwarder dns was not sufficient. We would end up creating N forward-zones, one for every server. The /etc/hosts solution was the short-term solution for just the Postfix setup. Months later we mitigated the corporate issue by making use of static rpz-zones, via BIND. I am aware of DNS views, but my understanding of them is to create a separate view of the DNS world based on the client submitting the request... So how would I discriminate a request coming from Postfix in comparison to another coming from my backup agent? Both of them are exiting from the same network-interface of the same server, via the same IP address. Isn'it?
Re: Specific DNS server
On Thu, Apr 22, 2021 at 04:53:21PM +0200, Jaroslaw Rafa wrote: > > I needed to have Postfix to solve Internet DNS names, for obvious reasons. > > At the same time, I needed to be able to solve Intranet DNS names: > > monitoring server, backup server, etc... > > I was once I need to get exactly this. > I solved this by setting up my own nameserver at localhost, that delegates > internal names to resolve by internal nameserver, and external ones to > resolve by external nameserver. It can be done pretty easy if you can > distinguish internal from external names by specific domain suffix(es). Yes, with unbound this takes the form of a "stub zone": stub-zone: name: "example.com" stub-addr: 192.0.2.1 stub-addr: 192.0.2.2 stub-addr: 192.0.2.3 queries for "example.com" then go to the indicated nameservers, rather than the ones listed in the parent domain. -- Viktor.
Re: Specific DNS server
On 22 Apr 2021, at 09:20, Benny Pedersen wrote: > n 2021-04-22 16:44, Marco Pizzoli wrote: >> Due also to some other constraints, I ended up relying on static >> entries in /etc/hosts. > > this file is only for when real dns server is down, not used when dns server > is up What? /etc/hosts is processed before DNS, that is how adding adservers to /etc/hosts blocks those adservers from being accessed. I don't do this anymore, but I used to have a shots file with thousands of entries (I run a pihole now instead) -- I don't need no stinking taglines.
Re: Specific DNS server
On 2021-04-22 16:53, Jaroslaw Rafa wrote: Dnia 22.04.2021 o godz. 16:44:13 Marco Pizzoli pisze: I needed to have Postfix to solve Internet DNS names, for obvious reasons. At the same time, I needed to be able to solve Intranet DNS names: monitoring server, backup server, etc... I was once I need to get exactly this. I solved this by setting up my own nameserver at localhost, that delegates internal names to resolve by internal nameserver, and external ones to resolve by external nameserver. It can be done pretty easy if you can distinguish internal from external names by specific domain suffix(es). indeed :=) https://websistent.com/configure-bind-dns-split-view/ i dont know how to make rpz work with split views
Re: Specific DNS server
On 2021-04-22 16:44, Marco Pizzoli wrote: I am afraid you did not get my point. i dont know your solution then rpz and qname can be problematic https://labs.ripe.net/author/wouter_de_vries/making-the-dns-more-private-with-qname-minimisation/ I needed to have Postfix to solve Internet DNS names, for obvious reasons. bind9 can have split dns views At the same time, I needed to be able to solve Intranet DNS names: monitoring server, backup server, etc... dns split views is your frind there Due also to some other constraints, I ended up relying on static entries in /etc/hosts. this file is only for when real dns server is down, not used when dns server is up It was at that time my best bad option. if you like more help please post more info on the real problem
Re: Specific DNS server
Dnia 22.04.2021 o godz. 16:44:13 Marco Pizzoli pisze: > > I needed to have Postfix to solve Internet DNS names, for obvious reasons. > At the same time, I needed to be able to solve Intranet DNS names: > monitoring server, backup server, etc... I was once I need to get exactly this. I solved this by setting up my own nameserver at localhost, that delegates internal names to resolve by internal nameserver, and external ones to resolve by external nameserver. It can be done pretty easy if you can distinguish internal from external names by specific domain suffix(es). -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Re: Specific DNS server
Would it be an option to configure a policy for your DNS server to **not** send queries from postfix host(s) through the add filter? Cheers tobi On 4/22/21 12:20 PM, Simon Wilson wrote: > Is there a way to make Postfix/postscreen use a specific DNS server? > > Reason for the question: > My network has an internal (non-ISP forwarding) DNS server for both > internal and external resolution, and that is default nameserver > across the network including for the mail server. That DNS server > includes a broad set of applied RPZ restrictions (which remove the > vast majority of ads and trackers - a very popular addition). The RPZ > zone has though on very rare occasions resulted in Postfix getting > SERVFAIL and rejecting domains (reject_unknown_sender_domain), which > could be classed as false positives - not for critical emails, but > occasionally for retail mail-outs etc. > > I provide a fully "clean and complete" DNS for spamassassin DNSBL > lookups by running a recursive caching nameserver on-localhost (SA has > an defined option to specify a DNS server). As noted above the mail > server as a whole does not use this - it uses the network-wide local > nameserver, ensuring that it can resolve local As CNAMEs etc as needed. > > Note: I realise one option is that I could probably add local domain > resolution to the localhost nameserver and use it as the default for > the mail server... but my first question is whether postfix has or > could have ability to have a specific nameserver (as Spamassassin > does), or if this would be a Bad Idea (TM) for reasons unknown to me. > > Simon. >
Re: Specific DNS server
On Thu, Apr 22, 2021 at 4:37 PM Benny Pedersen wrote: > On 2021-04-22 12:58, Marco Pizzoli wrote: > > Hello, > > +1 for this Request for Improvement. > > I also faced this need. > > > > Changing the machine solver was, unfortunately, not an option. > > we all love 127.0.0.1 > > solution is to not have spamasassin running on same host as postfix, or > tell spamassassin to use external trusted nameserver where rpz zones can > live safely > > if rpz affact postfix its not a postfix isssue to fix > > hopefully people messing with dns do know how dns works > I am afraid you did not get my point. I needed to have Postfix to solve Internet DNS names, for obvious reasons. At the same time, I needed to be able to solve Intranet DNS names: monitoring server, backup server, etc... Due also to some other constraints, I ended up relying on static entries in /etc/hosts. It was at that time my best bad option.
Re: Specific DNS server
On 2021-04-22 12:58, Marco Pizzoli wrote: Hello, +1 for this Request for Improvement. I also faced this need. Changing the machine solver was, unfortunately, not an option. we all love 127.0.0.1 solution is to not have spamasassin running on same host as postfix, or tell spamassassin to use external trusted nameserver where rpz zones can live safely if rpz affact postfix its not a postfix isssue to fix hopefully people messing with dns do know how dns works
Re: Specific DNS server
Sven Schwedas: > On 22.04.21 16:08, Lars Liedtke wrote: > > I know this does not apply to all kinds of setup, but with > > virtualization and containerization it should be easy to seperate > > Postfix and provide a different nameserver in resolv.conf for it. > > Yes, but postfix' builtin chroot isn't sufficient for this. It'll have > to be some form of external jailing mechanism. > > (We're using systemd-nspawn, so if *that* works, anything proper > definitely will.) Running Postfix in a container would also allow for a dedicated resolv.conf setup. Wietse
Re: Specific DNS server
That is, what I meant with virtualization and containerization. It has to be on a sepereate system, and that is not applicable for all setups. Am 22.04.21 um 16:28 schrieb Sven Schwedas: > On 22.04.21 16:08, Lars Liedtke wrote: >> I know this does not apply to all kinds of setup, but with >> virtualization and containerization it should be easy to seperate >> Postfix and provide a different nameserver in resolv.conf for it. > > Yes, but postfix' builtin chroot isn't sufficient for this. It'll have > to be some form of external jailing mechanism. > > (We're using systemd-nspawn, so if *that* works, anything proper > definitely will.) > >> Am 22.04.21 um 16:03 schrieb Wietse Venema: >>> Markus Sch?nhaber: >>>> 22.04.21, 12:20 +0200, Simon Wilson: >>>> >>>>> Is there a way to make Postfix/postscreen use a specific DNS server? >>>> One way I could think of is to use postfix' chroot features and >>>> configure this specific DNS server in the chroot's resolv.conf. >>> That may or may not work. There is no supported way to prevent the >>> SYSTEM LIBRARY from picking up the resolv.conf file before changing >>> the root directory. >>> > -- --- punkt.de GmbH Lars Liedtke .infrastructure Kaiserallee 13a 76133 Karlsruhe Tel. +49 721 9109 500 https://infrastructure.punkt.de i...@punkt.de AG Mannheim 108285 Geschäftsführer: Jürgen Egeling, Daniel Lienert, Fabian Stein
Re: Specific DNS server
On 22.04.21 16:08, Lars Liedtke wrote: I know this does not apply to all kinds of setup, but with virtualization and containerization it should be easy to seperate Postfix and provide a different nameserver in resolv.conf for it. Yes, but postfix' builtin chroot isn't sufficient for this. It'll have to be some form of external jailing mechanism. (We're using systemd-nspawn, so if *that* works, anything proper definitely will.) Am 22.04.21 um 16:03 schrieb Wietse Venema: Markus Sch?nhaber: 22.04.21, 12:20 +0200, Simon Wilson: Is there a way to make Postfix/postscreen use a specific DNS server? One way I could think of is to use postfix' chroot features and configure this specific DNS server in the chroot's resolv.conf. That may or may not work. There is no supported way to prevent the SYSTEM LIBRARY from picking up the resolv.conf file before changing the root directory. OpenPGP_signature Description: OpenPGP digital signature
Re: Specific DNS server
>> Is there a way to make Postfix/postscreen use a specific DNS server? > > Edit /etc/resolv.conf. > > No kidding - Postfix uses the SYSTEM LIBRARY for DNS lookups, and > the SYSTEM LIBRARY uses the resolv.conf file. Theree are no plans > to re-implement this part of the SYSTEM LIBRARY in Postfix. If you really have to, use a wrapper: https://cwrap.org/resolv_wrapper.html https://manpages.debian.org/stretch/libresolv-wrapper/resolv_wrapper.1 Best regards, Gerald
Re: Specific DNS server
I know this does not apply to all kinds of setup, but with virtualization and containerization it should be easy to seperate Postfix and provide a different nameserver in resolv.conf for it. Cheers Lars Am 22.04.21 um 16:03 schrieb Wietse Venema: > Markus Sch?nhaber: >> 22.04.21, 12:20 +0200, Simon Wilson: >> >>> Is there a way to make Postfix/postscreen use a specific DNS server? >> One way I could think of is to use postfix' chroot features and >> configure this specific DNS server in the chroot's resolv.conf. > That may or may not work. There is no supported way to prevent the > SYSTEM LIBRARY from picking up the resolv.conf file before changing > the root directory. > > Wietse -- --- punkt.de GmbH Lars Liedtke .infrastructure Kaiserallee 13a 76133 Karlsruhe Tel. +49 721 9109 500 https://infrastructure.punkt.de i...@punkt.de AG Mannheim 108285 Geschäftsführer: Jürgen Egeling, Daniel Lienert, Fabian Stein
Re: Specific DNS server
Markus Sch?nhaber: > 22.04.21, 12:20 +0200, Simon Wilson: > > > Is there a way to make Postfix/postscreen use a specific DNS server? > > One way I could think of is to use postfix' chroot features and > configure this specific DNS server in the chroot's resolv.conf. That may or may not work. There is no supported way to prevent the SYSTEM LIBRARY from picking up the resolv.conf file before changing the root directory. Wietse
Re: Specific DNS server
Simon Wilson: > Is there a way to make Postfix/postscreen use a specific DNS server? Edit /etc/resolv.conf. No kidding - Postfix uses the SYSTEM LIBRARY for DNS lookups, and the SYSTEM LIBRARY uses the resolv.conf file. Theree are no plans to re-implement this part of the SYSTEM LIBRARY in Postfix. Wietse
Re: Specific DNS server
22.04.21, 12:20 +0200, Simon Wilson: > Is there a way to make Postfix/postscreen use a specific DNS server? One way I could think of is to use postfix' chroot features and configure this specific DNS server in the chroot's resolv.conf. -- Regards mks
Re: Specific DNS server
Hello, +1 for this Request for Improvement. I also faced this need. Changing the machine solver was, unfortunately, not an option. Thanks Marco On Thu, Apr 22, 2021 at 12:21 PM Simon Wilson wrote: > Is there a way to make Postfix/postscreen use a specific DNS server? > > Reason for the question: > My network has an internal (non-ISP forwarding) DNS server for both > internal and external resolution, and that is default nameserver > across the network including for the mail server. That DNS server > includes a broad set of applied RPZ restrictions (which remove the > vast majority of ads and trackers - a very popular addition). The RPZ > zone has though on very rare occasions resulted in Postfix getting > SERVFAIL and rejecting domains (reject_unknown_sender_domain), which > could be classed as false positives - not for critical emails, but > occasionally for retail mail-outs etc. > > I provide a fully "clean and complete" DNS for spamassassin DNSBL > lookups by running a recursive caching nameserver on-localhost (SA has > an defined option to specify a DNS server). As noted above the mail > server as a whole does not use this - it uses the network-wide local > nameserver, ensuring that it can resolve local As CNAMEs etc as needed. > > Note: I realise one option is that I could probably add local domain > resolution to the localhost nameserver and use it as the default for > the mail server... but my first question is whether postfix has or > could have ability to have a specific nameserver (as Spamassassin > does), or if this would be a Bad Idea (TM) for reasons unknown to me. > > Simon. > > -- > Simon Wilson > M: 0400 12 11 16 > >
Specific DNS server
Is there a way to make Postfix/postscreen use a specific DNS server? Reason for the question: My network has an internal (non-ISP forwarding) DNS server for both internal and external resolution, and that is default nameserver across the network including for the mail server. That DNS server includes a broad set of applied RPZ restrictions (which remove the vast majority of ads and trackers - a very popular addition). The RPZ zone has though on very rare occasions resulted in Postfix getting SERVFAIL and rejecting domains (reject_unknown_sender_domain), which could be classed as false positives - not for critical emails, but occasionally for retail mail-outs etc. I provide a fully "clean and complete" DNS for spamassassin DNSBL lookups by running a recursive caching nameserver on-localhost (SA has an defined option to specify a DNS server). As noted above the mail server as a whole does not use this - it uses the network-wide local nameserver, ensuring that it can resolve local As CNAMEs etc as needed. Note: I realise one option is that I could probably add local domain resolution to the localhost nameserver and use it as the default for the mail server... but my first question is whether postfix has or could have ability to have a specific nameserver (as Spamassassin does), or if this would be a Bad Idea (TM) for reasons unknown to me. Simon. -- Simon Wilson M: 0400 12 11 16
