Custom interval in clearing local dns resolver cache

Nisamudeen

New Member
Apr 28, 2017
14
0
1
33
Hi,

I have configured local dns resolver for proxmox mail gateway by verifying the below post and it is working perfect. Meanwhile while checking logs I could see spam emails still comes, In my analysis it happens as dns cache gets cleared and updated every 24 hours.

https://forum.proxmox.com/threads/how-to-local-dns-resolver-for-proxmox-mail-gateway.41189/

if we change this interval to two hours, the list gets faster updated, the IP was on blacklist and the mails will be rejected. Currently our spamcheck is updating only 24hours so we get 24hours spam

so i think the solution to clear dns cache 2 one or two hours so that latest dns is there. Is there any solution or recommendation ?
 

heutger

Active Member
Apr 25, 2018
674
169
43
Fulda, Hessen, Germany
www.heutger.net
First of all, I would not use bind but would use unbound. Second, are you sure, that spam mails just come in for a listed IP until 24 hours later your cache is rechecking? Usually if the sending IP first tries to access, the DNS is looks up if it's blacklisted or not. For sure, if between look up and next look up, that could change, but depending on the list, TTL should be set to a value, that you will get fast response on new entry. So if checking e.g. 2.0.0.127.zen.spamhaus.org I see a TTL of 60, so records seem to be valid for 60 seconds before the caching resolver would check them again, so I don't see any reason, why your records should be outdated and you need to flush the cache faster.
 

Nisamudeen

New Member
Apr 28, 2017
14
0
1
33
Hi,

>>that spam mails just come in for a listed IP until 24 hours later your cache is rechecking? Usually if the sending IP first tries to access, the DNS is >>looks up if it's blacklisted or not.

Yes, I have explained we have setup local dns revolvers as repeated dns sbl queries are blocking our server IP's. Now our local bind service does this lookup. See the url I have shared.
 

heutger

Active Member
Apr 25, 2018
674
169
43
Fulda, Hessen, Germany
www.heutger.net
Hi,

>>that spam mails just come in for a listed IP until 24 hours later your cache is rechecking? Usually if the sending IP first tries to access, the DNS is >>looks up if it's blacklisted or not.

Yes, I have explained we have setup local dns revolvers as repeated dns sbl queries are blocking our server IP's. Now our local bind service does this lookup. See the url I have shared.
I know this URL and I also read about it as I first also installed bind to do the lookups. However, I had on my commercial test installation many query problems because of bind so I switched to unbound. So that's what I would suggest first to you. Second having a local resolver as you did is the standard expectation of PMG, either on the machine itself as being described in the link you posted or via a centralized resolver in your network, e.g. on your central DNS server beside your internal DHCP server, NAS server, on your UTM solution or Pi-Hole filtering ad domains etc.

However, I can't confirm your caching issues, I run with my local unbound without any special settings and it's working well. Looking for the TTL of e.g. Spamhaus usually the resolver should retry IP addresses before 24 hours, however, there may be lists (especially with unpaid access to the public feed, some RBL also have private (paid) feeds or require syncing their zone) with TTL up to 24 hours (or more), but never had issues with that and don't know any lists like that. So maybe you should try to switch to unbound as bind had its good years times ago (similar to nginx over Apache).
 

tuonoazzurro

Member
Oct 28, 2017
63
1
8
28
First of all, I would not use bind but would use unbound. Second, are you sure, that spam mails just come in for a listed IP until 24 hours later your cache is rechecking? Usually if the sending IP first tries to access, the DNS is looks up if it's blacklisted or not. For sure, if between look up and next look up, that could change, but depending on the list, TTL should be set to a value, that you will get fast response on new entry. So if checking e.g. 2.0.0.127.zen.spamhaus.org I see a TTL of 60, so records seem to be valid for 60 seconds before the caching resolver would check them again, so I don't see any reason, why your records should be outdated and you need to flush the cache faster.
Hi, can you share a valid/optimal config for unbound?

Thanks
 

tuonoazzurro

Member
Oct 28, 2017
63
1
8
28
See my advancing thread, I installed unbound out of the box without any adjustments. It's working well. My setup is described there, planning to do a GitHub therefor also.
Thanks for the answer, already read that post, but there is no mention to unbound settings beside just install it. i've found some setting here: https://forum.proxmox.com/threads/how-to-local-dns-resolver-for-proxmox-mail-gateway.41189/post-201416

i'm trying this setting.

My problem is that even if i installed unbound i'm still locked by uribl
 

heutger

Active Member
Apr 25, 2018
674
169
43
Fulda, Hessen, Germany
www.heutger.net
Thanks for the answer, already read that post, but there is no mention to unbound settings beside just install it. i've found some setting here: https://forum.proxmox.com/threads/how-to-local-dns-resolver-for-proxmox-mail-gateway.41189/post-201416

i'm trying this setting.

My problem is that even if i installed unbound i'm still locked by uribl
So that's what I did. For sure, I also changed in PMG to use the local DNS server. If you're still locked after that, it seems, your server produce too much queries against uribl. If your mail flow is larger than 100.000 messages per day, you're required to purchase a subscription (also if you use the service commercial, e.g. offering an anti spam solution to your customers), then you may get a feed for more queries or are required to set up a rsync resolver for your own queries and rsync the data against uribl.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!