To: general_re
And you missed my point. I never intended to solve the DNS issue, I was looking to solve the mail server and mail delay issues.
Moving the DNS table into memory on the bastion host makes sense from that perspective. It allows the bastion mail relay to determine if the mail is spam or not prior to the mail be forwarded on to the mail server.
You also are making the mistake of applying DNS flow to the bastion server. The server would look up the domain against 1st, the "blacklist", 2nd the outbound cache (a local cache of domains gleaned from outbound mail messages) and then if it could not find it there, would check its own local copy of DNS. If it was not in DNS, then take some action.
Most likely, I would configure it to drop the email. Note that no DNS query is generated. However, if you wanted to, I'm sure you could configure it to do a DNS query but that would not be my recommended solution. Perhaps it could be allowed through but marked as possible spam?
If this flow is followed, it will have the side effect of reducing DNS requests, but I doubt it will be a significant reduction. It would have a significant reduction on the burden placed on the mail host and since fewer emails are be processed, it would be able to process emails with better performance -- or so the theory goes.
Yes it has a trade off - all computer / networking issues do. The trade off is that a new domain, not yet available via incremental updates, or not yet in a full zone transfer, would not be reachable -- UNTIL -- either the DNS was fixed or until one of my employees sent an email to their server (it would show up in the local outbound domain cache).
53 posted on
01/10/2005 11:57:47 AM PST by
taxcontrol
(People are entitled to their opinion - no matter how wrong it is.)
To: taxcontrol
That's fine, but it's those DNS lookups that are causing the problem described here, and that's the problem, on a global level, that needs solving.
The trade off is that a new domain, not yet available via incremental updates, or not yet in a full zone transfer, would not be reachable -- UNTIL -- either the DNS was fixed or until one of my employees sent an email to their server (it would show up in the local outbound domain cache).
How do you know if the DNS information has been updated unless you ask? Wait a week for the next zone transfer to propagate? If the answer is "no", we're back to square one ;)
55 posted on
01/10/2005 12:21:55 PM PST by
general_re
(How come so many of the VKs have been here six months or less?)
To: taxcontrol
Most likely, I would configure it to drop the email. Note that no DNS query is generated. However, if you wanted to, I'm sure you could configure it to do a DNS query but that would not be my recommended solution. Perhaps it could be allowed through but marked as possible spam? In general, dropping anything except a virus is a bad idea and will eventually cause grief for the admin.
If inbound email relays are configured to simply refuse email from invalid domains, afterwards, it becomes a problem for the intermediate relay... which should not have accepted it anyway, so no big deal.
That said, maintaining a local domain name blacklist to circumvent a lookup is not a workable solution due to the frequency at which bogus domains are sent/changed... even the domain names included in spam are now changing rather frequently and they have to resolve.
For spam control, you want to nibble away at the content via multiple filters rather than trying to get it all at one time.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson