Exchange 2003, Google DNS, and IMF Connection Filtering RBL Failures
|
From: Ace Fekay [MCT] on 30 Dec 2009 21:01 "Chucko" <chucko(a)myrealbox.com> wrote in message news:E4BAEF04-ADFB-432D-B3AB-DD6181DC52E0(a)microsoft.com... > My bad, I missed it. No problem. :-)
From: Chucko on 31 Dec 2009 16:26
If what you are saying was true, DNS providers like OpenDNS would already be rate capped by Spamhaus and other DNSBL's, and this is simply not currently happening. On my test system I still get proper responses from all DNSBL's when using OpenDNS. What about SBS systems not set up to use forwarders - the root servers are where they query when they don't have the DNS information already in their cache, and if what you were saying was true then the root servers would also be rate capped by Spamhaus and other DNSBL's. According to the open DNS folks, they fully support and work with DNSBL's: http://www.opendns.com/support/article/33 In regards to DNS caching, we all know about TTL's, and once a TTL has past, then a value is refreshed indirectly from the root servers via the authoritative DNS for the domain (or DNSBL). Large DNS providers like OpenDNS adhere to this system, otherwise there would be DNS chaos. I don't believe that OpenDNS overrides TTL's unless they don't get a response from the authoritative DNS server for the domain, and even then, that behavior is configurable. In summary, I'm not seeing problems at all like you are describing by using OpenDNS on my test SBS 2003 system. It is a fully patched SBS 2003 system, using IMF along with DNSBL's. My test SBS 2003 server is of course a DNS server and it is using forwarders, specifically only OpenDNS. I've been running it this way for several months, except for a few days recently where I used Google DNS for the SMTP DNS queries, and that caused a problem, leading me to make the initial post in this thread. Now I know that we're all a smart bunch of people here, and I enjoy learning from the peer exchange that forums like this allow. IMHO I just think that maybe a few of you are a bit premature or possibly a bit misinformed in your condemnation of DNS providers like OpenDNS. "ObiWan [MVP]" <obiwan(a)mvps.org> wrote in message news:eCSFR5TiKHA.3792(a)TK2MSFTNGP02.phx.gbl... > >>> exchange IMF <-> your DNS <-> OpenDNS <-> spamhaus DNS > >> No kidding. I didn't think of this scenario. So the rate limit could >> be quickly reached and everyone is blaming ODNS for it. > > Yes... although ODNS still plays a role here, see, their aggressive > use of caching and TTL overriding means that NXDOMAIN answers > returned by the DNSBL due to the rate limiter kicking in, will be kept > in cache for a quite long time causing hosts which should instead > be BLOCKED by the blacklist to get through; worse, such a thing > will affect ALL the systems using ODNS for resolution :P > > I've nothing against OpenDNS, they're offering a decent service > and helping to protect against "bad sites" but that's all, I won't > recommend using OpenDNS as a forwarder/resolver when it > comes to a server system or a business network for the reasons > seen in this thread and ... for some others as well :) > > > |