Setting up and testing DNSBLs in Domino 6.xI still regularly get enquiries from readers who want to know how to set up and test DNSBL blocking with a Domino 6.x server. Here is a brief checklist:
- Before you start, your Domino server must have an externally routable IP address and be the preferred MX for your Internet domain.
If it is not the first local host encountered by a sending host, DNSBL look-ups can never work! This is because the DNSBL look-up is done on the IP of the host that connects to your Domino server. If that is the IP address of your firewall or some intermediate, but trusted relay then you will never see a DNSBL hit - unless the said firewall or relay is actually listed in a DNSBL you are querying, in which case you will reject all email.
- Assuming the above is satisfied you need to ensure that DNS queries resolve properly from your Domino host.
DNSBLs work by constructing a "host name" out of the incoming IP address by reversing the order of its octets and appending the name of the DNSBL. This "name" is then looked up in the DNS to see if it has an address. If it does have an address (which is usually 127.0.0.2 though this does vary slightly), then this is a hit on the DNSBL in question.
For example, a DNSBL look-up on the IP address 127.0.0.2 on the bl.spamcop.net list may be simulated at a command prompt thus:
C:\>nslookup 2.0.0.127.bl.spamcop.net
Non-authoritative answer:
Name: 2.0.0.127.bl.spamcop.net
Address: 127.0.0.2
All DNSBLs list the test host 127.0.0.2 (and usually some others) so you can easily test whether DNSBL queries are working on your desired DNSBLs.
- This may fail, not because there is anything wrong locally, but because some ISPs now "null" queries to popular DNSBLs (usually by giving the zone name a wildcard A record of 127.0.0.1 with a very long TTL). They do this to try and take load off their name servers. If you suspect this is happening, try a manual DNSBL query against an unpopular DNSBL and see if that resolves.
If it does, you need to protest to your ISP - or change.
- Finally, you can test whether your Domino host is actually behaving as you expect when it encounters a DNSBL listed sender.
See the test documented here under the sub heading "Testing your SBL Setup".
Not all DNSBLs offer this test facility, so for the purposes of the test, you should configure the Domino server to check either of the sbl.spamhaus.org or the sbl-xbl.spamhaus.org lists and set it to "log and reject" (I recommend using the spamhaus lists anyway, so you may already have this turned on). Then proceed with the test as documented.
If your Domino host is preferred MX for your domain(s) and manual queries to DNSBLs you want to use work correctly and the Spamhaus test works as expected, then your Domino host is ready to use DNSBLs for real.
See also:
Debugging DNSBL connectivity
Category: Domino: Administration
Technorati: Domino: Administration
1. Christian Brandlehner08/06/2004 21:30:03
Homepage: http://chris.brandlehner.at
Hi Chris,
I think the following link may be usefull to choose the right DNSBL server:
http://www.declude.com/Articles.asp?ID=97
I found good results with "Spamhaus", "Kundenserver" and "DNSRBL".
Christian
2. Chris Linfoot09/06/2004 08:34:27
Thanks. That is a useful link though I wonder what "OK" means (5th column of table).
e.g. Why is the multihop list at DSBL "OK"? - it certainly works but it is probably unsafe to use for spam blocking; only really suitable for tagging.
Also, some lists are missing or misspelled.
But mainly they seem to support my current choices which are as of now:
- DSBL
- SORBS
- Spamhaus (sbl-xbl)
- Spamcop
- ORDB
- various Blackholes.us zones
and
- Bonded Sender (DNSWL)
3. Mike15/06/2004 21:12:56
Chris,
I'm trying to get DNSBL to work for my Domino Admins. Our Domino Server
is hosted in a DMZ and has a RFC1918 address. In front is a Firewall. The MX records are defined with a public IP address, one is domain.com the other is servername.domain.com When the Firewall receives mail destined to the Domino Server it translates from a public IP to a private IP. Can this work? Do I need to move the Domino Server in front of the Firewall? TIA
4. Chris Linfoot16/06/2004 08:24:27
Firewall NAT?
Exactly what we have here. Doesn't matter that the Domino host actually has an RFC1918 address so long as it is directly contactable via a publicly routable address (which in this case is NATted to a private one).
The important thing is that it is the Domino host itself that accepts inbound connections on port 25 when someone attempts to deliver mail to your domain.
5. Fabrice Papirnyk09/01/2007 10:14:57
I was not brilliant enough to sort it out using NSLookup on Windows.
After much pain, I discovered an equivalent, with a GUI, and much more comprehensive for dummies : NetDig available on http://MVPTools.com .
Moreover, it provides something unreachable with NSLookup : the query time, very useful to know which BL or which DNS Server is slow.
6. Chris Linfoot09/01/2007 10:36:09
Useful tip. Thanks.
Unable to post a comment? Please read this for a possible explanation...
-