First off I’ve been using EFA for years now and it’s a great solution, especially the grey listing feature, works wonders for the blanket SPAM my wife’s accounts get.
With the last update having DNS recursion disabled broke inbound email, that being said I understand it’s preferred to have recursion enabled. I have a split DNS setup and the email servers resolve to an external IP address with recursion set to enabled in EFA-Configuration, but EFA sits in a DMZ and needs to send email to the internal IP of the email load balancer. What is recommended for this situation? Is everyone adding static entries in EFA OS to resolve just the internal IP of the mail server/s and local domains? I would like to have my setup best practice if at all possible, to avoid issues in the future.
Hopefully I'm understanding this all correctly, please correct me if I'm wrong.
EFA best practice (DNS recursion enabled)
- shawniverson
- Posts: 3644
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: EFA best practice (DNS recursion enabled)
Good question, and the answer is you can make an exception to the recursion in unbound DNS a couple of different ways.
I'll write up the steps. I haven't added the ability to do this to the TUI, but it is pretty straightforward
I'll write up the steps. I haven't added the ability to do this to the TUI, but it is pretty straightforward
Re: EFA best practice (DNS recursion enabled)
Hello to all,
The last update to the EFA 4.0.2 also 'broke' the inbound for my EFA. Had to enable the Recursion DNS to be able to receive inbound emails.
I use an internal FW DNS and also have an internal AD DNS. I had the internal FW DNS configured since I want only one DNS resolving all internal requests to the outside.
Thanks for your great work.
Regards.
JG
The last update to the EFA 4.0.2 also 'broke' the inbound for my EFA. Had to enable the Recursion DNS to be able to receive inbound emails.
I use an internal FW DNS and also have an internal AD DNS. I had the internal FW DNS configured since I want only one DNS resolving all internal requests to the outside.
Thanks for your great work.
Regards.
JG
Re: EFA best practice (DNS recursion enabled)
eFa uses unbound for DNS.
Step 1: ssh and then select 1 for "shell"
Step 2: Create a new file
Step 3: Add your local dns entries (check man page for syntax)
Example:
(For more advanced setups you can create a stub zone.)
Step 4: restart unbound
Step 1: ssh and then select 1 for "shell"
Step 2: Create a new file
Code: Select all
sudo vi /etc/unbound/local.d/local.conf
Example:
Code: Select all
#My dns additions
local-data: "sub.example.com A 192.168.100.105"
local-data-ptr: "192.168.100.105 sub.example.com"
Code: Select all
private-domain: "example.com"
local-zone: "1.168.192.in-addr.arpa." nodefault
stub-zone:
name: "example.com"
stub-addr: 192.168.1.100@53
Code: Select all
sudo service unbound restart
- shawniverson
- Posts: 3644
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: EFA best practice (DNS recursion enabled)
This is one way. Another is to do this is using forward zones.
Create a /etc/unbound/conf.d/localforward.conf
Create a /etc/unbound/conf.d/localforward.conf
Code: Select all
forward-zone:
name: example.net.
forward-addr: <example.net IP1>
forward-addr: <example.net IP2>
forward-first: no
Code: Select all
sudo systemctl reload unbound