Author: Jasen Betts Date: To: exim-dev Subject: Re: [exim-dev] feature request for exim: query DNSBL providers' DNS
servers directly
On 2017-09-09, Rob McEwen <rob@???> wrote: > Hi! This is Rob McEwen from the invaluement.com anti-spam blacklist. (I
> just joined this list.)
>
> I have a feature request for Exim. Or, since Exim is clearly one of the
> world's most flexible/configurable MTAs, is... what I'm about to
> describe... already be possible with existing features?
>
> What I want to accomplish is this: provide subscribers to the
> invaluement anti-spam blacklist... who use exim... the ability to have
> their DNS queries to DNSBLs... come directly from Exim, skipping the
> normal DNS resolver. (and other DNSBLs could benefit from this too!)
no, this will hurt the DNSBLs feeding the requests through caching
resolvers helps the DNSBLs by reducing their infrastructure costs.
> The way this would work... is that Exim would do a normal NS lookup on
> the host name at the root of a DNSBL (eg "zen.spamhaus.org", for
> example), then collect IP address(es) that those authoritative name
> servers resolve to, and then do the actual DNSBL lookup *directly* on
> that DNSBL's authoritative servers, skipping the regular caching DNS
> server "middleman".
You can get a better result by installing bind or some other caching
resolver locally with only the root domain servers for reference
this way exim only one set of lookups is made to find the IP address
of the blacklist. and only lookup one per ip-address until it the DNS
response TTL expires.
> (Ideally, Exim would internally cache the answer for the NS lookups...
> so that it wouldn't have to do this NS lookup with every single DNSBL
> lookup. But technically, that part is a bit more exotic.)
the exim process is epehemeral, internal caching is done, but each
instance only sees one connection attempt.
> Is there a way to do this already in Exim? If not, does anyone have any
> suggestions regarding how this might be implemented?
exim currently uses gethostent() for DNS lookups, you'd need to
replace that with something that can use different configurations
on a per-call basis.
personally I'd go with bind on the exim server and have the DNSBL serve
results with a TTL of 1 when I want them to be re-queried every time.
--
This email has not been checked by half-arsed antivirus software