Re: [exim-dev] feature request for exim: query DNSBL provide…

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-dev
Subject: Re: [exim-dev] feature request for exim: query DNSBL providers' DNS servers directly
On 2017-09-11 at 20:58 +0200, Heiko Schlittermann via Exim-dev wrote:
> I'm not sure if I got it. You want to re-invent a caching name service
> inside Exim?


No, just a resolver which can be custom-configured. There's a lot of
value for spam-fighting in being able to do custom DNS queries, although
whether that belongs in Exim vs rspamd or whatever is a different
question.

Example query: "nameservers for this domain as registered in the parent
zone". NS records are authoritative below the cut and normal APIs will
always return the below-cut answer. Fast-flux DNS abusing spammers,
pointing NS records at compromised hosts, use this and have done for
years. Having the ability to look up the records registered in the
parent zone and use _those_ in an RBL-style lookup ... that would be
Very Handy.

So there's some value in having an optional, EXPERIMENTAL_FOO feature,
for more advanced DNS handling. We have pseudo-RRtypes for dnsdb
already, but adding "NS at parent" couldn't be done with the current
libresolv API. I've been repeatedly disgusted at the hoops we have to
go through with the `_res` symbol and handling it cleanly, including on
NetBSD which is Different From Everyone Else To Be More Correct.
Replacing all of the DNS lookups with getdns-based handling, if built
with EXPERIMENTAL_GETDNS, and then adding a few more features too, could
be sensible. For the DNSSEC folks, being able to affirm validation
without trusting across-the-wire that AD bit is tamper-proof is nice.

I think it's worth noting here that Rob _runs_ a commercial RBL (I'm
actually a paying customer of his) and so is in a good situation to be
able to make the call about load and caching.

-Phil