Is it possible to tell unbound not to use forwarders only for some specific domains?
Gerben Wierda
gerben.wierda at rna.nl
Sat Dec 28 17:13:23 UTC 2019
I am using unbound and rspamd.
Unbound is configured as follows (snippet)
forward-zone:
name: "."
# Quad9 phising/malware site blocking DNS 9.9.9.9
forward-addr: 9.9.9.9
# Quad9 2nd DNS
forward-addr: 149.112.112.112
# Fallback if Quad9 is out: Google:
# forward-addr: 8.8.4.4
It seems that rspamd doesn’t like that, because the DNS masters for multi.uribl.com and dnl.dnswl.org apparently do not like getting a DNS query forwarded from public DNS servers. Which produces errors like:
2019-12-28 17:47:20 #16267(controller) <gp88ff>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com (127.0.0.1 returned), possibly due to high volume
2019-12-28 17:47:20 #16267(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org while 'no records with this name' was expected when querying for 'TTE6_6BJCREYADp1do_TGob69-N7R.dwl.dnswl.org'(likely DNS spoofing or BL internal issues)
which breaks rspamd I think
So, I think (not sure) that I am supposed not to use a forwarder to a public DNS provider with rspamd. But that would mean I lose the advantage of Quad9. Hence, I was thinking that I m,ight need to tell unbound an exception for these domains, sidestepping the forwarding. Is that possible? (Does it solve my issue? I don’t know but I’d like to try).
Gerben Wierda
Chess and the Art of Enterprise Architecture <http://enterprisechess.com/>
Mastering ArchiMate <http://masteringarchimate.com/>
Architecture for Real Enterprises <https://www.infoworld.com/blog/architecture-for-real-enterprises/> at InfoWorld
On Slippery Ice <https://eapj.org/on-slippery-ice/> at EAPJ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20191228/bca60bb9/attachment.htm>
More information about the Unbound-users
mailing list