-2

first time setting up Spamassassin, I was getting refusals when trying to query URIBL.com when my nameservers were set to 8.8.8.8

I solved it by using my own bind9 dns recursive server...

and now I would like to understand how URIBL.com knew the originating source of my dns queries, i.e. how did it know my queries were coming from 8.8.8.8, and not that the queries were coming from the WAN ip of my email server?

Some light reading pointed me to rfc7871, which might explain the source of the dns query is now contained in the payload of the request headers? is it similar to a referrer ip in a http request?

As a followup question, why does URIBL.com care if it gets requests from 8.8.8.8 vs counting the qty of requests from individual ip addresses that are making the actual queries to URIBL.com?

Is it easier, more cost effective to use the largest dns source ip addresses as filters, than trying to track a million+ individual ip addresses from countless email servers?

Steve Wasiura
  • 141
  • 1
  • 9

1 Answers1

1

How did it know my queries were coming from 8.8.8.8, and not that the queries were coming from the WAN ip of my email server?

Quite simple, because the queries didn't come have the WAN IP-address of your server as the origin, for URIBL.com they originate from the Google public DNS server.

Why does URIBL.com care where the requests come from?

That is their business model, they offer their service for free to (many) small users but make a living by selling paid for subscriptions to large (enterprise) customers with deeper pockets.

HBruijn
  • 77,029
  • 24
  • 135
  • 201
  • 1st answer does not explain if the origin ip is included in the dns query request. 2nd answer, is not even my question. i understand their business model, but don't understand why they wouldn't track the query from the individual servers that made the request. is that technical data of "client origin ip ? " not included in the dns query request? – Steve Wasiura Jan 25 '18 at 19:53
  • Correct. The DNS query protocol does not have headers like "X-Forwarded-For" in HTTP, so URIBL only sees that 8.8.8.8 (or another computer owned by Google) is making a lot of requests to their server. – DerfK Jan 25 '18 at 20:33