Using barracuda DNSBL with Postfix
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_rbl_client zen.spamhaus.org,
reject_unauth_destination
Spamhause don't require any registration, so I just use it. Works fine.
But some spam still gets through and I now want to try adding barracuda in front of spamhaus. The problem is that barracuda requires registration at
This is what they write: "Enter the IP addresses of name servers (DNS servers) that will be making queries. Separate each address with a comma."
What IP address should I enter? My mail server linode is not a DNS server, so I'm confused.
5 Replies
@Stever:
You probably need to run your own local recursive DNS server to work with that registration. Even if you could register with linode's recursive DNS server IP's, you probably wouldn't want to take responsibility for all the traffic that might start coming from them once all the other linode customers figured out they could now use that list without registering.
I don't fully understand.
Suppose I just add the server without registering:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_rbl_client b.barracudacentral.org,
reject_rbl_client zen.spamhaus.org,
reject_unauth_destination
What adverse affects could that have on me and my own node?
Do I really need to bother creating my own DNS server?
> The Barracuda Reputation Block List (BRBL) is be available free of charge to anyone who wants to use it. We simply request that you provide the list of IP addresses of your domain name servers (DNS servers) that will be making queries. IP addresses not listed may be blocked, rate controlled or otherwise denied access without warning.
I have no idea how seriously they take the requirement for registration, but if you just start using it through linode's recursive DNS you will be "blocked, rate controlled or otherwise denied access" based on any traffic they receive from the linode recursive servers, which is somewhat beyond your control.
If you instead run your own recursive DNS and register your IP with them, then the traffic they hold you accountable for will be limited to what you yourself generate.
@Stever:
> The Barracuda Reputation Block List (BRBL) is be available free of charge to anyone who wants to use it. We simply request that you provide the list of IP addresses of your domain name servers (DNS servers) that will be making queries. IP addresses not listed may be blocked, rate controlled or otherwise denied access without warning.
I have no idea how seriously they take the requirement for registration, but if you just start using it through linode's recursive DNS you will be "blocked, rate controlled or otherwise denied access" based on any traffic they receive from the linode recursive servers, which is somewhat beyond your control.If you instead run your own recursive DNS and register your IP with them, then the traffic they hold you accountable for will be limited to what you yourself generate.
Thanks. I have some further questions due to my ignorance of DNS:
4. When I DNS resolve on my linode, by e.g. typing in "host linode.com" (or when Postfix does a DNS resolve using a barracuda URL), who is really doing the DNS resolve? The linode DNS servers, I take it? So in the barracuda case, do the barracuda servers get a connection from my own linode's IP address or do they just see a request from the linode DNS server IP address?
Suppose they ban/limit "me" for using their service without registering (as we discussed earlier). Will that in any way affect my own linode IP address? Or will it just affect the linode DNS servers, thereby harming all other linode users who practice the same thing?
When you say "recursive" DNS server, are all DNS servers recursive or is it possible to have non-recursive DNS servers? (Just wondering if there is anything special about "recursive" or whether it's just a part of the concept.)
Do you have any easy steps on how to set up my own recursive DNS server on Ubuntu 12.04? There doesn't appear to be anything on it in the linode library.
@dee4:
4. When I DNS resolve on my linode, by e.g. typing in "host linode.com" (or when Postfix does a DNS resolve using a barracuda URL), who is really doing the DNS resolve? The linode DNS servers, I take it? So in the barracuda case, do the barracuda servers get a connection from my own linode's IP address or do they just see a request from the linode DNS server IP address?
Suppose they ban/limit "me" for using their service without registering (as we discussed earlier). Will that in any way affect my own linode IP address? Or will it just affect the linode DNS servers, thereby harming all other linode users who practice the same thing?
When you say "recursive" DNS server, are all DNS servers recursive or is it possible to have non-recursive DNS servers? (Just wondering if there is anything special about "recursive" or whether it's just a part of the concept.)
Do you have any easy steps on how to set up my own recursive DNS server on Ubuntu 12.04? There doesn't appear to be anything on it in the linode library.
A normal setup has your DNS request going to the linode recursive servers, which then perform the lookup for you and reply with what they find. The barracuda DNS servers will never know your IP in this process - they will only see the linode recursive server. So if they decide to ban an IP it will be the linode recursive server and anyone else who was doing the same thing would be affected, although I imagine if others were already doing this they would have probably already triggered the ban.
There is a ton of info on this out there, but a simplified way to think about it is that a recursive DNS server is used to perform DNS queries, while a non-recursive (or authoritative) DNS server is used to answer them. And I don't mean to be condescending, but truly if you can't figure out for yourself how to run a recursive DNS server on your linode you probably shouldn't be doing it. The main thing to keep in mind is that you should not expose a recursive nameserver to the internet - it should only be accessible to you.