On Wednesday, December 8, 2004, 7:16:41 AM, Rob Systems) wrote:
Speaking of whitelisting, I'm using a caching dns server on my box which is based on BINDS.
I currently use the following syntax in the names.config files to manually whitelist:
zone "yahoo.com.multi.surbl.org" in { type master; };
This **works** and causes the DNS caching server to return a "not found" WITHOUT having to ever check external DNS servers to resolve this. Also, the return times are lightening fast (<4ms).
However, I'm still getting some kind of weird system errors logged in my "Events" log related to this process. Basically, I think I goofed up the syntax or I am missing some information here.
Does anyone here happen to be familar with BIND and have any suggestions as to the correct syntax? What **should** my example from above look like?
If you want to do this please *don't* do it in the multi.surbl.org domain. Do it in *your own domain*:
zone "yahoo.com.powerviewsystems.com" in { type master; };
and set up delegation for the zone in the powerviewsystems.com zone file:
yahoo.com IN NS yournameserverhere
(When this appears in the powerviewsystems.com zone file it delegates yahoo.com.powerviewsystems.com. not yahoo.com.)
What is happening is that there is no yahoo.com.multi.surbl.org zone delegated from multi.surbl.org so you are creating bogus DNS zone requests to the name servers that are authoritative for multi.surbl.org. Those are probably the error messages you are seeing. The requests are also generating unnecessary packets and warning messages on the SURBL public name servers, which is *not* cool.
Anyone else doing this or something similar should stop doing it post haste!
However a much better way to whitelist domains is to use the built in SpamAssassin or SpamCopURI functions:
URIDNSBL:
uridnsbl_skip_domain yahoo.com w3.org msn.com com.com yimg.com
SpamCopURI:
whitelist_spamcop_uri *.yahoo.com
I'm going to add local whitelisting (exclusion-list style) to the SURBL FAQ and implementation guidelines.
Jeff C. -- "If it appears in hams, then don't list it."