Documentation Home > Exchange Anti-Spam Toolkit
DNS Configuration for DNS-based Block Lists Providers & Allow List Providers
Many IP Allow and Block List Providers (including Spamhaus and DNSWL), as well as URI DNSBLs and Sender Reputation services do not allow queries to their public mirrors which originate from public or ISP DNS servers, or they implement thresholds on the number of queries per day from a particular IP address, which effectively blocks DNS queries from public or ISP DNS servers. Examples of public DNS Servers would be Google and CloudFlare. If your Internet access uses Carrier-Grade NAT (CGNAT) and you do not have a public IP address then it is also likely you will run into problems using the public mirrors of DNSBLs.
It is necessary to query DNSBLs in a manner which uses caching to avoid generating unnecessary queries and placing an unreasonable load on the services. Some services require a different query mechanism and payment by high-volume users.
The volume of queries generated by your network and the way in which your network is configured to resolve external DNS queries will determine whether additional steps are required to meet the requirements of DNSBLs.
If you are a low-volume user and operate your own DNS server which uses root hints, does not have a forwarder to a public or ISP DNS server, provides caching and accesses the Internet via a public IP address without CGNAT then no additional configuration will be required. Windows DNS server can be set up in this manner, although for security reasons it is recommended to use a dedicated DNS server for external DNS queries (i.e. different to your internal DNS server which is part of Active Directory).
If you use an internal DNS server with a forwarder to either a public or ISP DNS server (common in smaller networks), then it is likely that you will run into issues attempting to use many DNSBLs without additional configuration. The reason is because when a forwarder is used, DNS queries to an DNSBL will actually come from the IP address of the forwarder. For more information, see Successfully accessing Spamhaus’ free blocklists using a public DNS.
Potential solutions to enable correct operation of DNSBLs where you do not have an appropriately configured DNS server are:
- If offered by the DNSBL, registration to allow an alternate access method which uses an access key and permits access via public or ISP DNS servers. Depending on the service and your type of usage, this may be free for low-volume users or may require payment of a subscription fee. For example, for Spamhaus, see Public Mirrors to DQS Migration. A different Lookup Domain, which includes your private access key, is used in the configuration of the DNSBL, URL Block List Provider, or Sender Score service.
- Setup of a local DNS server which uses root hints, does not use forwarders to a public or ISP DNS server, provides caching and can access the Internet via a public IP address without CGNAT. Queries to DNSBLs will need to be directed to this DNS server from your internal Active Directory DNS Server (used by Exchange) by using a Conditional Forwarder on the internal Active Directory DNS Server. The local DNS server which uses root hints to query DNSBLs can be used solely for these queries, if desired. A static IP address is not required as long as outbound Internet access without CGNAT is possible.
- In some situations, if you use a smaller ISP, you may be able to use one of their DNS servers to access DNSBLs. Even if you do not use the smaller ISP's DNS server to resolve all external DNS queries, you can set up a Conditional Forwarder on your internal Active Directory DNS Server for specific DNSBLs.