Speaking of whitelisting, I'm using a caching dns server on my box which is based on BINDS.
I currently use the following syntax in the names.config files to manually whitelist:
zone "yahoo.com.multi.surbl.org" in { type master; };
This **works** and causes the DNS caching server to return a "not found" WITHOUT having to ever check external DNS servers to resolve this. Also, the return times are lightening fast (<4ms).
However, I'm still getting some kind of weird system errors logged in my "Events" log related to this process. Basically, I think I goofed up the syntax or I am missing some information here.
Does anyone here happen to be familar with BIND and have any suggestions as to the correct syntax? What **should** my example from above look like?
Thanks,
Rob McEwen
On Wednesday, December 8, 2004, 7:16:41 AM, Rob Systems) wrote:
Speaking of whitelisting, I'm using a caching dns server on my box which is based on BINDS.
I currently use the following syntax in the names.config files to manually whitelist:
zone "yahoo.com.multi.surbl.org" in { type master; };
This **works** and causes the DNS caching server to return a "not found" WITHOUT having to ever check external DNS servers to resolve this. Also, the return times are lightening fast (<4ms).
However, I'm still getting some kind of weird system errors logged in my "Events" log related to this process. Basically, I think I goofed up the syntax or I am missing some information here.
Does anyone here happen to be familar with BIND and have any suggestions as to the correct syntax? What **should** my example from above look like?
If you want to do this please *don't* do it in the multi.surbl.org domain. Do it in *your own domain*:
zone "yahoo.com.powerviewsystems.com" in { type master; };
and set up delegation for the zone in the powerviewsystems.com zone file:
yahoo.com IN NS yournameserverhere
(When this appears in the powerviewsystems.com zone file it delegates yahoo.com.powerviewsystems.com. not yahoo.com.)
What is happening is that there is no yahoo.com.multi.surbl.org zone delegated from multi.surbl.org so you are creating bogus DNS zone requests to the name servers that are authoritative for multi.surbl.org. Those are probably the error messages you are seeing. The requests are also generating unnecessary packets and warning messages on the SURBL public name servers, which is *not* cool.
Anyone else doing this or something similar should stop doing it post haste!
However a much better way to whitelist domains is to use the built in SpamAssassin or SpamCopURI functions:
URIDNSBL:
uridnsbl_skip_domain yahoo.com w3.org msn.com com.com yimg.com
SpamCopURI:
whitelist_spamcop_uri *.yahoo.com
I'm going to add local whitelisting (exclusion-list style) to the SURBL FAQ and implementation guidelines.
Jeff C. -- "If it appears in hams, then don't list it."
Anyone else doing this or something similar should stop doing it post haste!
Jeff:
I appreciate your advice. But I'd like some clairification.
1st, I'm not a SpamAssassin user. In fact, none of your particular suggestions (so far) regarding local whitelisting will be benefit me.
2nd, I'm running the TreeWalk DNS caching server on my Windows 2000 server and everything running on my box looks to this application for DNS resolution. TreeWalk by default goes to the root servers for advice... except where I have specified otherwise in some "forwarders" strategically set up. Some of these point to my Hosting provider's DNS server... some point elsewhere.
3rd, ...and most important... this TreeWalk DNS server is **local only**. It is NOT a DNS server that propagates info elsewhere and it ONLY serves up domain resolution to applications running on my box. In fact, there is security set up where my TreeWalk implementation will NOT server requests from outside my box.
Therefore, I **think** that most of your gravest concerns are not applicable???
Finally, the app that I'm using for DNSBL lookups doesn't provide a means to manually whitelist individual entries.
For all these reasons, I see no other choice but to try to override these setting on my server at the DNS level. Sure, doing this to whitelist SURBLs on my DNS caching server is mostly for performance reasons. Therefore, one could argue that it is not worth the hassle just to squeak a little extra performance since these will often be cached from previous lookups.
However, I have not choice but to do this with some OTHER DNSBLs that I use. For example, I do similar lookups with SpamHaus and with MailPolice and there are occasional instances where they are too aggressive. I don't want to NOT use them. I just want to have a means to surgically bypass a **few** of their blocks and doing this in the BIND config files at the **local** DNS caching server level is most efficient. (assuming that I can eventually get the syntax correct!!!)
Again, I'm sure that there must be a way for me to get what I want... and it seems like even if I'm doing something that isn't "by the book" there must be a way to accomplish it without the more nasty repercussions that you refer to.
Any suggestions/comments?
Thanks,
Rob McEwen
On Wednesday, December 8, 2004, 7:25:31 PM, Rob McEwen wrote:
1st, I'm not a SpamAssassin user. In fact, none of your particular suggestions (so far) regarding local whitelisting will be benefit me.
OK That's fine, but please chose a parent zone you control if you want to set up a subdomain.
And please ask your application writers to support a local whitelist, like SA does. It's a good way to prevent a lot of unnecessary DNS queries.
2nd, I'm running the TreeWalk DNS caching server on my Windows 2000 server and everything running on my box looks to this application for DNS resolution. TreeWalk by default goes to the root servers for advice... except where I have specified otherwise in some "forwarders" strategically set up. Some of these point to my Hosting provider's DNS server... some point elsewhere.
OK I'm not familiar with that program but you may need to have it forward the local whitelist zone to itself in order to prevent outbound zone transfer requests. (If it has the ability to query the root servers, it probably also has the ability to request transfers of more specific zones such as the fake ones you're trying to set up for local whitelisting (or blacklisting).)
3rd, ...and most important... this TreeWalk DNS server is **local only**. It is NOT a DNS server that propagates info elsewhere and it ONLY serves up domain resolution to applications running on my box. In fact, there is security set up where my TreeWalk implementation will NOT server requests from outside my box.
We're not concerned about inbound requests to your box or what it serves or doesn't serve to the outside world. The problem with fake subdomains is that they usually send out packets to the zone's parents regarding the delegation. Those packets are essentially extraneous noise to the parent zone's name servers. Dealing with those unnecessary packets causes the name servers some load, causes logging and generally annoys operators of those name servers.
Finally, the app that I'm using for DNSBL lookups doesn't provide a means to manually whitelist individual entries.
[...]
Again, I'm sure that there must be a way for me to get what I want... and it seems like even if I'm doing something that isn't "by the book" there must be a way to accomplish it without the more nasty repercussions that you refer to.
Yes, ask the application makers to add a whitelisting feature.
Jeff C. -- "If it appears in hams, then don't list it."
-
Jeff Chan -
Rob McEwen -
Rob McEwen (PowerView Systems)