Page 1 of 1

EFA best practice (DNS recursion enabled)

Posted: 14 Apr 2020 13:34
by tcabot73
First off I’ve been using EFA for years now and it’s a great solution, especially the grey listing feature, works wonders for the blanket SPAM my wife’s accounts get.

With the last update having DNS recursion disabled broke inbound email, that being said I understand it’s preferred to have recursion enabled. I have a split DNS setup and the email servers resolve to an external IP address with recursion set to enabled in EFA-Configuration, but EFA sits in a DMZ and needs to send email to the internal IP of the email load balancer. What is recommended for this situation? Is everyone adding static entries in EFA OS to resolve just the internal IP of the mail server/s and local domains? I would like to have my setup best practice if at all possible, to avoid issues in the future.

Hopefully I'm understanding this all correctly, please correct me if I'm wrong.
2020-04-14_6-29-03.png
2020-04-14_6-29-03.png (6.06 KiB) Viewed 3262 times

Re: EFA best practice (DNS recursion enabled)

Posted: 14 Apr 2020 18:46
by shawniverson
Good question, and the answer is you can make an exception to the recursion in unbound DNS a couple of different ways.

I'll write up the steps. I haven't added the ability to do this to the TUI, but it is pretty straightforward

Re: EFA best practice (DNS recursion enabled)

Posted: 15 Apr 2020 08:32
by jogomes
Hello to all,

The last update to the EFA 4.0.2 also 'broke' the inbound for my EFA. Had to enable the Recursion DNS to be able to receive inbound emails.

I use an internal FW DNS and also have an internal AD DNS. I had the internal FW DNS configured since I want only one DNS resolving all internal requests to the outside.

Thanks for your great work.
Regards.
JG

Re: EFA best practice (DNS recursion enabled)

Posted: 17 Apr 2020 01:00
by smyers119
eFa uses unbound for DNS.

Step 1: ssh and then select 1 for "shell"

Step 2: Create a new file

Code: Select all

sudo vi /etc/unbound/local.d/local.conf
Step 3: Add your local dns entries (check man page for syntax)
Example:

Code: Select all

#My dns additions
local-data: "sub.example.com A 192.168.100.105"
local-data-ptr: "192.168.100.105 sub.example.com"
(For more advanced setups you can create a stub zone.)

Code: Select all

 private-domain: "example.com"
 local-zone: "1.168.192.in-addr.arpa." nodefault
 stub-zone:
       name: "example.com"
       stub-addr: 192.168.1.100@53
Step 4: restart unbound

Code: Select all

sudo service unbound restart

Re: EFA best practice (DNS recursion enabled)

Posted: 18 Apr 2020 16:19
by shawniverson
This is one way. Another is to do this is using forward zones.

Create a /etc/unbound/conf.d/localforward.conf

Code: Select all

forward-zone:
  name: example.net.
  forward-addr: <example.net IP1>
  forward-addr: <example.net IP2>
  forward-first: no

Code: Select all

sudo systemctl reload unbound