Re: [exim-dev] feature request for exim: query DNSBL provide…

Góra strony
Delete this message
Reply to this message
Autor: Heiko Schlittermann
Data:  
Dla: exim-dev
Temat: Re: [exim-dev] feature request for exim: query DNSBL providers' DNS servers directly
Hi,

Rob McEwen <rob@???> (Sa 09 Sep 2017 20:59:01 CEST):
> What I want to accomplish is this: provide subscribers to the invaluement
> anti-spam blacklist... who use exim... the ability to have their DNS queries
> to DNSBLs... come directly from Exim, skipping the normal DNS resolver. (and
> other DNSBLs could benefit from this too!)
>
> The way this would work... is that Exim would do a normal NS lookup on the
> host name at the root of a DNSBL (eg "zen.spamhaus.org", for example), then
> collect IP address(es) that those authoritative name servers resolve to, and
> then do the actual DNSBL lookup *directly* on that DNSBL's authoritative
> servers, skipping the regular caching DNS server "middleman".


I'm not sure if I got it. You want to re-invent a caching name service
inside Exim? What's wrong with installing a caching (and validating)
resolver next to the host Exim is running on? (Ideally on the same
machine.) Bind, Unbound, or even systemd-resolved will do and the
installations of these tools shouldn't be hard for someone who is about
to set up a mail system.

> (Ideally, Exim would internally cache the answer for the NS lookups... so
> that it wouldn't have to do this NS lookup with every single DNSBL lookup.
> But technically, that part is a bit more exotic.)


And even w/o a caching resolver next to Exim the DNS resolver
infrastructure should be mature enough to handle the "non-caching"
behaviour of Exim.

As already explained by others on this list, Exim's architecture
doesn't allow for an easy caching implementation.

> PS - This can be beneficial for other uses besides my "invaluement"


> servers - and it becomes a hassle for them to set up their own DNS resolver
> and/or the server provider or datacenter constantly overwrites their DNS
> settings, forcing them back to Google (etc). Some of these organizations


I can imagine a global Exim option to override the name server addresses provided
by the resolver library (if there isn't such option already). This would
solve the problem with overridden resolver configuration files
(resolv.conf).

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -