[general_re]

You guys are missing my point. It's one lookup for you, but the problem is not on the local level. It's not your DNS machine that gets gummed up, but the higher-level DNS machine that has a flood of umpteen zillion requests - all for the same nonexistent record, and all in the span of three seconds - from your DNS machine and all the other DNS machines that query it. It's a problem of heirarchy, one that you don't see down there at the bottom of the pile, because it's the mid-level DNS machines that are getting hit with ten million A-record requests per microsecond, not yours.

[taxcontrol]

And you missed my point. I never intended to solve the DNS issue, I was looking to solve the mail server and mail delay issues.

Moving the DNS table into memory on the bastion host makes sense from that perspective. It allows the bastion mail relay to determine if the mail is spam or not prior to the mail be forwarded on to the mail server.

You also are making the mistake of applying DNS flow to the bastion server. The server would look up the domain against 1st, the "blacklist", 2nd the outbound cache (a local cache of domains gleaned from outbound mail messages) and then if it could not find it there, would check its own local copy of DNS. If it was not in DNS, then take some action.

Most likely, I would configure it to drop the email. Note that no DNS query is generated. However, if you wanted to, I'm sure you could configure it to do a DNS query but that would not be my recommended solution. Perhaps it could be allowed through but marked as possible spam?

If this flow is followed, it will have the side effect of reducing DNS requests, but I doubt it will be a significant reduction. It would have a significant reduction on the burden placed on the mail host and since fewer emails are be processed, it would be able to process emails with better performance -- or so the theory goes.

Yes it has a trade off - all computer / networking issues do. The trade off is that a new domain, not yet available via incremental updates, or not yet in a full zone transfer, would not be reachable -- UNTIL -- either the DNS was fixed or until one of my employees sent an email to their server (it would show up in the local outbound domain cache).