Am 16.09.2015 um 11:36 schrieb Marc Richter:
I am - it's the very same setup you describe like I'm using. The only difference is that I do not rely on a dedicated DNS resolver I setup myself, but the centralized nameserver of my ISP, which works exactly like any nameserver I'd setup myself.
no it does notISP nameservers have proven all sort of troubles over the years like ignoring TTL, spit out random expired responses, from one day to the next decide to answer wildcard instead NXDOMAIN which kills any mailservice from one moment to the next and so on
Although, the intended setup with exemptions by defining empty forwarders for DNSBL zones was not my idea - this scenario is described on the SA wiki as a working solution: http://wiki.apache.org/spamassassin/CachingNameserver#Non-forwarding This seems to not be working, so I'm heading for this ML to find out why.
well, that would be a question for the bind-ML
you should read and understand their posts in full before doing so at least, to not look like a jackass additional to an impolite person.obviously it don't workThat's right - so let's work out the reasons for it and not fight against each other. This setup is described in the official SA wiki and not working. So let's improve this public resource together.
until now it is not sure that your setup is correct (only using 127.0.0.1 as nameserver)
What I wrote is: >> ... but created the exemptions as listed at the very bottom of that >> site, to make sure my bind don't forward requests on these services >> to my ISP's DNS ...but it does forward otherwise the problem would be solvedYou are right. I double-checked in the meantime (and awaited some spams to arrive) by disabling forwarding completely. It does work then. I do and did not doubt this - but the issue remains: I'd still like to forward all of my requests to take the advantage of my ISPs DNS caches. But those queries to the DNSBL zones should be resolved exceptionally by my local recursion nameserver. Why is the example in the SA wiki not working?
maybe you did not tell SA directly or the OS in /etc/resolv.conf *only* use 127.0.0.1 as DNS server
I do - and you are right with what you described. But all you mentioned is not important for my setup and specific application. Fast resolution and a huge DNS cache is. I know, that those aren't the times achieved when my ISPs DNS servers initiate a recursive query on the data, but deliver what they already have cached, only. But that is OK for me. I only need these cached data
well, you only benefit from the ISP cache when another customer within the TTL did the same request, in any other case the response would be slower because one hop more
you are still missing the whole picture!
When I would do the recursive resolvings on my own, not only my initiate queries would take quite a long time compared to those my ISPs does, but I would "waste" a lot of resources needed to provide these caches on my own servers. My setup simply isn't big enough to reasonably dedicate a box on it's own or use that resources of my apps host, only to provide nearly the same my ISP already serves.
you just need 64-128 MB RAM for a reasonable cache and when it comes to ressources i would use unbound instead named as caching-only resolver
*all* blacklist services have a very low TTL, with unbound you even cache *much* better than any ISP resolver because you can sepcifiy that responses are cached for at least 10 minutes instead ask every 5 seconds again and again - they are doing that to enforce hit their limits by intention
msg-cache-size: 64m neg-cache-size: 64m rrset-cache-size: 128m cache-min-ttl: 600 cache-max-ttl: 10800
signature.asc
Description: OpenPGP digital signature