Re: potential new SA feature: Direct DNS Querying Per DNSBL Zone

[RW]

On Wed, 15 Nov 2017 12:03:58 -0500
Rob McEwen wrote:


> Why is this "Direct DNS Querying Per DNSBL Zone" feature
> needed/important?

In most of these cases you'd be better-off simply setting "dns_server"
in the SA configuration. This eliminates the effect of changes to
resolv.conf, and the setting takes a port value, so it needn't even
point to localhost:53.

The change does provide a benefit where an admin can't even start a
daemon on a non-standard port, but I think its general usefulness has
been greatly inflated.

What is interesting about this is if it were implemented in full, with
DNS caching, it wouldn't be much more difficult to have SA do an NS
look-up to find authoritative servers for each list. That would allow
network tests to work correctly by default.

potential new SA feature: Direct DNS Querying Per DNSBL Zone

[Rob McEwen]

RE: potential new SA feature: Direct DNS Querying Per DNSBL Zone

A couple of months ago, I commissioned the development of a potential 
new feature in SA. The code is mostly already written, but has at least 
one significant bug. Therefore, it is currently in the SA Bugzilla – Bug 
7477


https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7477

SUMMARY:

(1) (optionally!) on a per-DNSBL basis, DNS queries to a particular 
DNSBL can be set to DIRECTLY query a particular designated DNS server 
(individually set for that particular DNSBL)

--OR--
(2) (optionally!) on a per-DNSBL basis, DNS queries to a particular 
DNSBL can be set to DIRECTLY query that particular DNSBL's authoritative 
DNS server


(in both cases, bypassing the regular DNS "middle man")

ALSO: There is a cache component so that these DNSBL queries can be 
cached. DNSBLs *almost* don't need caching since most of them have such 
extremely short TTLs - HOWEVER - the problem with not caching is that 
there can often be bursts of *many* DNS lookups due to MANY similar 
spams being sent in close succession - THEREFORE - this caching 
component is critically important.


Why is this "Direct DNS Querying Per DNSBL Zone" feature needed/important?

(1) There have already been a few recent discussion threads on the SA 
lists where users have complained about their DNSBL lookups not working 
anymore - and then it was discovered that unknown or unwanted DNS 
settings (or setting changes) - caused major problems. This feature 
would enable more SA admins to have more "set it and forget it" success.


(2) Some DESIRE than their main DNS queries (for their server that is 
running SA) default to particular 3rd party DNS servers, such as 
Google's DNS servers - yet they need particular DNSBL queries to go 
directly to the DNSBL's authoritative DNS servers (and they may not even 
be aware of that need!). Yes, this can be done with a local DNS server 
combined with forwarders and conditional forwarders - HOWEVER...


(3) Some SA users do not have total control over their servers, and 
sometimes their DNS infrastructure and/or their DNS settings on their 
servers - CHANGE - without their knowledge or will. This was a primary 
motivation for my funding of this new feature (that is almost 
completed). While running the invaluement anti-spam blacklists - I've 
discovered that a LARGE percent of subscribers are continually having 
their DNS settings switched to either using Google's or OpenDNS's or 
their ISP's dns servers.  Then their queries to invaluement start to 
fail as we're not able to grant them access permissions from those IPs - 
nor are even able to distinguish such queries from others' queries. And 
even many of the (so-called) "free" DNSBLs have this same problem with 
their medium-sized customers who have moved into their paid access 
system AND are also doing directly queries (not RSYNC'ing the data). In 
fact, this problem is epidemic. Does it impact everyone? No. Does it 
impact you? Probably not. If you're reading this, you are probably one 
of the SA admins who DOES have more granularity of control and you 
probably already set up your own locally-hosted DNS server - and this 
all might sound like a solution looking for a problem... but then again, 
there have been those recent pesky SA list discussions that might not 
have existed if this feature were already implemented! And I see these 
issues FREQUENTLY with invaluement subscribers, especially with the 
numerous SA installations where the systems administrators didn't have 
as much control or knowledge as your average SA list participant. In 
many of these situations, the SA admin is a general IT guy who wears 100 
different hats besides being the email and spam filtering admin. That 
admin is typically pulled a million different directions and would 
GREATLY benefit from a feature that allows MORE "set it and forget it". 
Forgive that person for not having as much SA and DNS knowledge stored 
in his brain as you probably have!


Also, again, if this is accepted into official SA code, it will ALWAYS 
be an optional feature - that only impacts those DNSBLs for which it was 
specifically set up - other queries and other DNSBL lookups will 
continue to work as they always have. If you don't need or like this 
feature - just don't go out of your way to turn it on! Furthermore, this 
is NOT an intended replacement for running your own DNS caching server 
and pointing your SA queries to that. That is still the ideal/desired 
setup. Instead, this is for those who are unable to do that (or unable 
to do that reliably or without unexpected changes happening 
occasionally) AND it can also act as a sort of "insurance policy" to 
make sure that certain DNSBL queries continue to operate as intended, 
even if the DNS infrastructure changes unexpectedly or malfunctions.


If anyone is interested in this feature and is willing/able to help get