Tuesday, 1. February 2005
What port do I need to open for DNSBL queries?
More Google fodder, and an entry for my planned FAQ section.
I am often asked what port needs to be open on a firewall to permit DNSBL queries to work correctly.
If your Domino server (or any other SMTP MTA for that matter) can send Internet email then the necessary port is already open.
DNSBL queries are just DNS lookups (UDP/53 and strictly TCP/53 though that is rarely called on). When your MTA sends email it is already doing a DNS lookup to find MX or a host A record for the target domain. DNSBL lookups simply create a "hostname" out of the reversed dotted quad address of the IP to be looked up, followed by the DNSBL name and then look for a host A record for that name using DNS.
This also means that you must be careful what you use as DNSBL sites. I have seen one recent report of a site attempting DNSBL lookups on abuse.net. abuse.net does not operate a DNSBL, but does have a wildcard A record for all non-existent hosts in that domain. It returns 127.255.255.255 and this would appear to most DNSBL lookups (including Domino's) to be a hit. Thus every possible IP address would cause a DNSBL "hit" on abuse.net - don't do it. Choose your DNSBL sites thoughtfully.
Category: Domino: Administration
Technorati: Domino: Administration
I am often asked what port needs to be open on a firewall to permit DNSBL queries to work correctly.
If your Domino server (or any other SMTP MTA for that matter) can send Internet email then the necessary port is already open.
DNSBL queries are just DNS lookups (UDP/53 and strictly TCP/53 though that is rarely called on). When your MTA sends email it is already doing a DNS lookup to find MX or a host A record for the target domain. DNSBL lookups simply create a "hostname" out of the reversed dotted quad address of the IP to be looked up, followed by the DNSBL name and then look for a host A record for that name using DNS.
This also means that you must be careful what you use as DNSBL sites. I have seen one recent report of a site attempting DNSBL lookups on abuse.net. abuse.net does not operate a DNSBL, but does have a wildcard A record for all non-existent hosts in that domain. It returns 127.255.255.255 and this would appear to most DNSBL lookups (including Domino's) to be a hit. Thus every possible IP address would cause a DNSBL "hit" on abuse.net - don't do it. Choose your DNSBL sites thoughtfully.
Category: Domino: Administration
Technorati: Domino: Administration
Comments :
1. Eric Parsons01/02/2005 21:17:11
Homepage: http://StartingBlockComputing.com
Just as a quick comment. The first time through DNSBL's we made it far to hard a task. Once we stood back, and looked at it as a "yes it's there" or "No, I don't have it" it really was simple.
Unable to post a comment? Please read this for a possible explanation...
- 
