Introduction

Most local DNS servers are configured to forward their queries to other, public DNS servers when resolving domain names. This common practice aims to take some load off the root DNS servers, as forwarders have a relatively large cache (so they can resolve names without bothering the root servers too often).

The problem with public forwarders

When using an external DNS server set up as per our recommendations (see DNS requirements regarding this), the server configured will be a local DNS server, used to query online blacklist databases, such as DNS Blacklists and SURBLs. When a sender host or a domain name found in the email is listed, the email gets blacklisted in ORF. Online blacklist providers usually has a daily query quota, i.e., they only accept a limited number of queries initiated by a single DNS server.

If the local DNS server has a public forwarder configured (such as Google DNS servers, OpenDNS servers, DNS servers of ISPs, etc.), it may not get any replies from blacklists providers, as these public servers are used by many people at once, so they quickly exceed the query limit. This leads to degraded spam filtering performance in ORF (or even false hits under specific circumstances).

Solution: conditional forwarding

By setting up conditional forwarding, a DNS server can be instructed to send all requests directly to the authoritative name server(s) of the given blacklist provider when querying their database, so the public forwarder is bypassed. All other DNS requests will be sent to the public forwarder.

Instructions

In the following example, we will set up conditional forwarding for the SURBL called uribl.com.

1. 1. Identify the domain name queried

   The domain name queried can be checked in the ORF Administration Tool. If the queried service is a DNS Blacklist, navigate to the Blacklists / DNS Blacklists page, double-click the name of DNS Blacklist in the list and check the domain on the Lookup tab. If the queried service is an SURBL, navigate to the Blacklists / SURBL Test page, double-click the name of SURBL in the list and check the domain on the Lookup tab.

   The domain name queried for uribl.com is black.uribl.com.

   2. Compile a list of the authoritative name servers of the blacklist provider

   Start a command prompt and start the nslookup tool (by issuing the command nslookup). Set the query type to NS by issuing the command set q=ns. Enter the domain name you identified in step 1).

   You will get a list of the nameservers with their IP addresses. Copy the list of IPs (right click, Mark, select the IPs and press Enter to copy them to the clipboard).