> On Sep 11, 2017, at 2:58 PM, Heiko Schlittermann via Exim-dev <exim-dev@???> wrote:
>
>> What I want to accomplish is this: provide subscribers to the invaluement
>> anti-spam blacklist... who use exim... the ability to have their DNS queries
>> to DNSBLs... come directly from Exim, skipping the normal DNS resolver. (and
>> other DNSBLs could benefit from this too!)
>>
>> The way this would work... is that Exim would do a normal NS lookup on the
>> host name at the root of a DNSBL (eg "zen.spamhaus.org", for example), then
>> collect IP address(es) that those authoritative name servers resolve to, and
>> then do the actual DNSBL lookup *directly* on that DNSBL's authoritative
>> servers, skipping the regular caching DNS server "middleman".
>
> I'm not sure if I got it. You want to re-invent a caching name service
> inside Exim? What's wrong with installing a caching (and validating)
> resolver next to the host Exim is running on? (Ideally on the same
> machine.) Bind, Unbound, or even systemd-resolved will do and the
> installations of these tools shouldn't be hard for someone who is about
> to set up a mail system.
I agree that this would be a bad idea. Of course the OP is free to find
someone to implement this for a custom version of Exim, but I would hope
that resolver bypass does not become a supported Exim feature.
All the problems the OP would like to solve are best handled via a dedicated
local resolver. That resolver can forward queries to some more central
resolver and define stub zones (or an appropriate alternative mechanism) for
whatever RBL domains it would like to bypass the upstream cache.
--
Viktor.
