Exchange 2003, Google DNS, and IMF Connection Filtering RBL Failures
|
From: Ace Fekay [MCT] on 28 Dec 2009 20:53 "ObiWan [MVP]" <obiwan(a)mvps.org> wrote in message news:Ocf9bV%23hKHA.5520(a)TK2MSFTNGP06.phx.gbl... >> I never used ODNS, so this is new to me. Understanding DNS and its >> processes, this kind of tells me why would anyone use it? Same with >> the DNSBL service. > > It's easy, Ace, lemme put it plain; let's use spamhaus as the DNSBL > > You run a mailserver and your own DNS (no forwarders) > > your mailserver uses "zen.spamhaus.org" as one of the DNSBLs > > upon incoming connections, your mailserver (the IMF in this case) > runs a query against the auth DNS for "zen.spamhaus.org" to check > if the connecting IP is blacklisted > > the auth DNS servers for the spamhaus zone see your IP and keep > a track of the queries you issue, so, if your query/time ratio goes over > a given limit, they suddenly start answering an NXDOMAIN to further > queries > > the above never happens to you since your email volume is under > the limit (which is quite high) so you will never see such a behaviour, > otherwise, in case you'll be facing such an issue, this would mean > that you'll need to purchase an account with spamhaus... anyways... > > let's look at the above scenario but let's say you use the opendns > servers as your forwarders; your DNS along with some thousands > other systems is using the ODNS resolvers, so the spamhaus auth > DNS will see the queries coming from the ODNS IPs and not from > your own one, this means that the rate limiter will quickly kick in for > the ODNS IPs and this in turn will render the DNSBL queries useless > >> Thanks to Susan, I'm glad you jumped in on this thread. It helped >> understand what is going on. :-) > > Hehe... she posted a note elsewhere and at first I didn't realize it > was related to an NG thread but when I realized that and saw your > name I immediately jumped in :D > >> A belated Merry Christmas to you and yours, and a Happy New Year! > > ditto :D !!!! > > > Oh, duh! I misintrepreted DNSBL for some reason. I used various DNSBLs with the IMF, but have never used ODNS in this respect. I'm curious as to the limited the various DNSBLs use, such as Spamhaus, Spamcop, etc. I've never encountered any limits, but then again, for my smaller clients, using the IMF would never see such a limit. For larger customers that I've worked with, such as a pharma, we used a third party gateway, one of note was IronMail from CA. CA uses Trusted Source, which is essentially a pay for service that is part of the Ironmail purchase/subscription, which has no limits only because of that reason. Interesting use limit scenario. So I had to look it up, and found the following: The Spamhaus Project - DNSBL Usage Limits www.spamhaus.org/organization/dnsblusage.html In summary, the link indicates the service is free unless (quoted): 1. Your use of the Spamhaus DNSBLs is non-commercial*, and 2. Your email traffic is less than 100,000 SMTP connections per day, and 3. Your DNSBL query volume is less than 300,000 queries per day. As for DNS injection, Network Solutions was doing that a few years ago, but they wound up removing it after numerous complaints. Ace
From: Chucko on 29 Dec 2009 00:04 One more thing to add to this discussion is that you can configure the Exchange Virtual SMTP Server to use a different DNS than the rest of the system uses. You can find that configuration tab under default SMTP Virtual Server Properties, Delivery, Advanced, Configure. That way you can use DNS servers that provide the proper NXDOMAIN response for the SMTP mail traffic and something like Open DNS for the Server and Workstations. That is how I normally set it up. I was trying out and testing the Google DNS servers for SMTP traffic and that is how I found out about the initial problem. "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message news:OzscoG4hKHA.5520(a)TK2MSFTNGP06.phx.gbl... > "Kerry Brown" <kerry(a)kdbNOSPAMsys-tems.c*a*m> wrote in message > news:epvXYk1hKHA.2160(a)TK2MSFTNGP02.phx.gbl... >> >> "Russ SBITS.Biz [SBS-MVP]" <russ(a)REMOVETHIS.sbits.biz> wrote in message >> news:uaKpf60hKHA.4872(a)TK2MSFTNGP05.phx.gbl... >> >>> Is this a big issue with you and your clients? >>> >> >> Big issue for me. I'm on the Canadian Internet Registration Authority >> board of directors. We manage the DNS for the .ca ccTLD. We answer >> 400,000 DNS queries per minute and it's some of those answers that are >> getting modified. It's a question of trust in the system. DNSSEC will >> solve this anyway so it's annoying but it will go away given time. >> >> For my clients it can be an inconvenience. Usually it's just odd NDRs but >> I have seen a case where an Exchange server was brought to it's knees >> because of not seeing NXDOMAIN responses. Several workstations were >> infected and generating a lot of spam email through the Exchange server. >> Because the server wasn't seeing any NXDOMAIN replies it kept trying >> non-existing email servers. It was easily fixed but for an hour or so no >> email was flowing. >> >> -- >> Kerry Brown >> MS-MVP - Windows Desktop Experience: Systems Administration >> http://www.vistahelp.ca/phpBB2/ >> >> >> >> > > > As I have mentioned, I have several friends using OpenDNS, and they think > it works fine, however not ever having used it, I can't comment much more > on it. I would rather use my own DNS servers internally, and the > registrar's DNS as forwarders. Therefore, depending on how the Exchange > server is setup, meaning that if the SMTP service is configured to use an > external DNS, and is pointed to OpenDNS, then the lack of NXDOMAIN > responses may occur, from what you are saying. But as I said, I don't use > OpenDNS and don't really know. I usually just leave Exchange to use the > internal AD servers, with forwarders, and it works fine. > > Ace >
From: Kerry Brown on 29 Dec 2009 01:29 I love these newsgroups. Learn something useful every day. I see you can do this in Exchange 2007 as well. Thanks, -- Kerry Brown MS-MVP - Windows Desktop Experience: Systems Administration http://www.vistahelp.ca/phpBB2/ "Chucko" <chucko(a)myrealbox.com> wrote in message news:#Y2RcREiKHA.3792(a)TK2MSFTNGP02.phx.gbl... > One more thing to add to this discussion is that you can configure the > Exchange Virtual SMTP Server to use a different DNS than the rest of the > system uses. > > You can find that configuration tab under default SMTP Virtual Server > Properties, Delivery, Advanced, Configure. > > That way you can use DNS servers that provide the proper NXDOMAIN response > for the SMTP mail traffic and something like Open DNS for the Server and > Workstations. That is how I normally set it up. I was trying out and > testing the Google DNS servers for SMTP traffic and that is how I found > out about the initial problem. > > "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message > news:OzscoG4hKHA.5520(a)TK2MSFTNGP06.phx.gbl... >> "Kerry Brown" <kerry(a)kdbNOSPAMsys-tems.c*a*m> wrote in message >> news:epvXYk1hKHA.2160(a)TK2MSFTNGP02.phx.gbl... >>> >>> "Russ SBITS.Biz [SBS-MVP]" <russ(a)REMOVETHIS.sbits.biz> wrote in message >>> news:uaKpf60hKHA.4872(a)TK2MSFTNGP05.phx.gbl... >>> >>>> Is this a big issue with you and your clients? >>>> >>> >>> Big issue for me. I'm on the Canadian Internet Registration Authority >>> board of directors. We manage the DNS for the .ca ccTLD. We answer >>> 400,000 DNS queries per minute and it's some of those answers that are >>> getting modified. It's a question of trust in the system. DNSSEC will >>> solve this anyway so it's annoying but it will go away given time. >>> >>> For my clients it can be an inconvenience. Usually it's just odd NDRs >>> but I have seen a case where an Exchange server was brought to it's >>> knees because of not seeing NXDOMAIN responses. Several workstations >>> were infected and generating a lot of spam email through the Exchange >>> server. Because the server wasn't seeing any NXDOMAIN replies it kept >>> trying non-existing email servers. It was easily fixed but for an hour >>> or so no email was flowing. >>> >>> -- >>> Kerry Brown >>> MS-MVP - Windows Desktop Experience: Systems Administration >>> http://www.vistahelp.ca/phpBB2/ >>> >>> >>> >>> >> >> >> As I have mentioned, I have several friends using OpenDNS, and they think >> it works fine, however not ever having used it, I can't comment much more >> on it. I would rather use my own DNS servers internally, and the >> registrar's DNS as forwarders. Therefore, depending on how the Exchange >> server is setup, meaning that if the SMTP service is configured to use an >> external DNS, and is pointed to OpenDNS, then the lack of NXDOMAIN >> responses may occur, from what you are saying. But as I said, I don't use >> OpenDNS and don't really know. I usually just leave Exchange to use the >> internal AD servers, with forwarders, and it works fine. >> >> Ace >> > >
From: ObiWan [MVP] on 29 Dec 2009 04:58 > In summary, the link indicates the service is free unless (quoted): > > 1. Your use of the Spamhaus DNSBLs is non-commercial*, and > 2. Your email traffic is less than 100,000 SMTP connections per day, and > 3. Your DNSBL query volume is less than 300,000 queries per day. exactly, now, since the spamhaus DNS servers only see the IP of the querying box, in case your DNS is using the OpenDNS servers as forwarders, the spamhaus DNS will see the IPs of the OpenDNS servers since the query "chain" will be exchange IMF <-> your DNS <-> OpenDNS <-> spamhaus DNS now, the above means that anyone using the same config will be seen by the spamhaus DNS with the SAME IP, so even a bunch of low traffic email servers may quickly go above the allowed spamhaus query rate (as seen above) and this in turn would result in NXDOMAIN answers being returned by the spamhaus DNS servers and btw the same (rate limit) issue is also true for most/all other DNSBLs not just for spamhaus bottom line, if one has a DNS server, better using it and not some external forwarder (set aside the exceptions I listed into another post in this same thread) since such a setup will avoid a lot of troubles ... and since with such a setup YOU will be back in control of YOUR DNS resolution :)
From: ObiWan [MVP] on 29 Dec 2009 05:08
> We block all DNS queries from all nodes except the DNS server - > that would be the SBS box itself. good setup, ensure to do the same for SMTP too :) > Interesting question - SBS and a separate Terminal Server using Open > DNS for web site filtering. uhm... let me understand, you have two servers, one is running sbs and has its own DNS server w/o any forwarder, another one is used as a TS and its network settings are configured so that the DNS IPs point to OpenDNS ? That's totally crazy imHo :( it would badly screw the AD > Since the forwarders have to use ODNS's DNS servers, how would > you have SBS not be seen as originating from ODNS when doing > RBL checks while still using ODNS for web blocking? you have TWO solutions the first one (which I prefer) is to setup a DNS server on the TS, ensure the TS DNS has a copy of the local AD zones and then configure it to use ODNS forwarder, next setup the TS machine to use its own IP as the DNS; this way the SBS box won't be using OpenDNS while the TS will the second one is... pointing both SBS and TS to the SBS DNS then configuring conditional forwarding on the SBS DNS so that queries directed to the DNSBL in use will go straight to the auth servers for those domains while all other queries will be forwarded to the OpenDNS servers in spamhaus case, the DNS can be obtained by running nslookup -type=NS spamhaus.org the same goes for the DNS for all the other DNSBL zones you are using in IMF but, again, I'd prefer the first solution since this one would force you to keep your DNS up-to-date whenever you'll change the DNSBLs you use |