RBL's & Forwarders?

I was looking at SpamTitan the other day and came accross this info:

The importance of DNS

Accurate DNS responses are vital to SpamTitan maintaining a good spam catch rate.  SpamTitan queries multiple internet based spam blocking tools using DNS.  Due to the very high volume of DNS requests that originate from free/open DNS servers (e.g 8.8.8.8, 8.8.4.4, 4.2.2.1, etc)  the test providers will not respond to DNS requests from these servers.  Do not configure SpamTitan to use free/open DNS servers, or if you are using your own DNS server do not configure it to use free/open DNS servers as a forwarder.

In the above, they do not recommend using free/opendns servers as forwarders

I'm wondering how the UTM works with this if you were to put extra RBL's into it. Would using a free/opendns to resolve affect any of these?

  • What does "the test providers will not respond to DNS requests from these servers" mean?

    Cheers - Bob

  • I think it is saying the problem flow is:

    • SpamTitan client performs RBL lookup via DNS, to see if a mail source is dangerous.
    • Client environment forwards DNS to Google 8.8.8.8
    • Google forwards DNS request to SpamTitan server.
    • SpamTitan server refuses to answer the Google lookup
    • SpamTitan client receives a NXDOMAIN answer, and assumes that the mail source is safe, possibly incorrectly.

    Short version:   SpamTitan does not have the resources or the money to provide a free DNS lookup service, but DNS is inherently free.   So their workaround is to block Google and Cloudflare and a few others.

    Solution:   Do what they say or use a different RBL.   SpamHaus/Zen and Barracuda are both good options.   Barracuda asks for registration.  SpamHaus asks for money if you are commercial and doing high volume lookups. but I don't know that they have an enforcement mechanism.   MXToolbox.com tracks domain reputation using 65 different RBLs, so you can get a complete list of options there.

    UTM can use any RBL.   The issue is their attempt to restrict access to their DNS server; the client device does not matter.