I used the "Authoritative, validating, recursive caching DNS (example
2)" section of this guide: https://calomel.org/unbound_dns.html but
omitted the forward-zone, local-zone and local-data sections and did a
couple of other parameters differently.
On 25/05/2016 21:24, Vincent Fox wrote:
I've been using dnsmasq myself on a list server, with DHCP
disabled, and configured to answer only localhost, for caching.
The stock package seems limited to 10,000 entries BTW.
But it seemed fairly bug-free as opposed to nscd, and simple
to setup unlike BIND.
Gladly switch to something else. Thanks for mentioning unbound
I had never heard of this before.
________________________________________
From: Nick Howitt <n...@howitts.co.uk>
Sent: Wednesday, May 25, 2016 11:11:24 AM
To: David Jones; SA-Users
Subject: Re: Odd results when using whitelisting
This thread is so fragmented now I am not sure which message to reply to.
I've now installed unbound and configured dnsmasq to hand its DNS
queries to unbound on port 1053. It looks like I could stop dnsmasq from
doing dns completely (by setting port to 0), but the ClearOS webconfig
interfaces with hosts which I am not sure if unbound works with, and, in
any case, changing hosts through the webconfig triggers a dnsmasq reload
rather than an unbound reload, so I can have dnsmasq handling the LAN
(hosts) then handing over to unbound for the WAN.
Now I've done this, is there any chance of some help with the main bit
of my original query which is why do some whitelisted e-mails not get
X-Spam headers when others do.
Sorry to all for using html e-mails. Some lists don't mind them and I
generally prefer them so use them by default. This should appear in
plain-text only.
On 25/05/2016 17:52, David Jones wrote:
From: Bill Cole <sausers-20150...@billmail.scconsult.com>
Sent: Wednesday, May 25, 2016 10:09 AM
To: SA-Users
Subject: Re: Odd results when using whitelisting
On 24 May 2016, at 15:58, David Jones wrote:
Dnsmasq is a very powerful DNS server
I meant that it has lots of options and can do some pretty slick
stuff. It can handle a heavy load too. It's used all over the place
not just in home routers / blue plastic boxes.
LOL. Its man page (see
http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) opens with
the implied admission that it isn't even a "real" DNS server: which it
isn't. It's a bloatware DNS proxy. For many years its default
configuration made it an open resolver with no mitigation for DNS
amplification attacks and it is still being distributed that way by some
packagers.
BIND is a "very powerful" DNS server. It also sucks much less than it
used to but has such a rococo feature set that it probably shouldn't be
used by anyone who doesn't treat DNS as an artistic medium. Using it for
straightforward caching and autonomous recursive resolution is a
widespread practice in the same way that using full-size SUV's for
suburban commuting is a widespread practice.
Unbound is a very good recursive resolution and caching DNS server,
which is the functionality one actually needs on a modern mail server
(or on the same physical LAN) to keep DNS from being a bottleneck.
Because it is not an authoritative server, it lacks much of BIND's
"power" along with most of the features that have been involved in the
last dozen or so BIND vulnerabilities.
I prefer PowerDNS recursor over BIND and Unbound which is definitely
a very powerful DNS recursive server. Dnsmasq could be setup to forward
to pdns-recursor to solve this problem.
so I am sure it can be configured to do full recursive lookups
Ok. I was wrong.
See the cited man page, which almost clearly says otherwise:
Dnsmasq is a DNS query forwarder: it it [sic] not capable of
recursively
answering arbitrary queries starting from the root servers
For its design target, Dnsmasq is an acceptable hack: a local DNS cache
for small routers serving typical home networks that also does DHCP. It
simply isn't fit for a mail server using modern anti-spam measures, not
just because it must forward to a real DNS server on the other side of a
WAN link and usually at least 2 routing hops which is probably
URIBL_BLOCKED anyway, but also because it is normally run on devices
that have very tight memory constraints, limiting its cache.
The OP wants to continue to use dnsmasq because it's integrated
into his distro tightly so I recommend he setup a recursive DNS server
like pdns-recursor, BIND, unbound, etc. on a different port and forward
dnsmasq to it. I expect his mail flow is very light so this will work fine.
