6.0.1 ORF Online Help
Select your ORF version:

Table of Contents

DNS


Many tests in ORF (e.g. the DNS Blacklist test) rely on DNS information. Having reliable and fast access to DNS is essential for ORF to function properly. To manage the DNS settings, select the SystemDNS page in the left-side navigation pane of the Administration Tool.

Choosing a Resolver

You can choose from two DNS resolvers provided by ORF. To understand the difference between them, a brief overview of the DNS name resolution process is required.

The DNS name resolution process

Name resolution is an iterative process. When looking up the DNS "A" record of example.com, the DNS resolver first contacts one of the well-known root DNS servers which provide a starting point for all DNS lookups. The root DNS server will not have the DNS data for example.com, but it knows which DNS servers service the .com zone and will respond with a referral to these servers. The DNS resolver then contacts one of these referred servers, which in turn provides a referral to example.com DNS servers. This cycle of referrals continues until the DNS resolver reaches a name server in the hierarchy which has the answer. This latest server in the chain is called an authoritative name server.

Difference between recursive resolvers and stub resolvers

A recursive resolver is a DNS client which can do the whole iterative process described above, chasing the referrals until the authoritative name server is found and a final answer is received.

A much more common type of DNS clients is called a stub resolver. These rely on a known DNS server for name resolution. Instead of iterating through all servers in the hierarchy, they send a so-called recursive query to the known DNS server, asking it to perform the iterations on behalf of them. The server then does the name resolution behind the scenes and returns the answer in a single step. Delegating the complex iteration process to the known DNS server greatly simplifies the process from the resolver's perspective.

ORF DNS resolvers compared

The table below compares the two resolvers offered by ORF.

Property Built-In Resolver External Servers
Resolver type Recursive resolver Stub resolver
Setup and maintenance Effortless Difficult
Firewall requirements Open UDP/53 and TCP/53 to any hosts Open UDP/53 and TCP/53 to DNS servers
Cache lifetime Resetted on configuration changes Refer to DNS server configuration
Sharing cached data between multiple servers No Yes

Which resolver to use?

We recommend using the built-in resolver unless your situation specifically calls for using external servers. Examples of such situations:

  • You have multiple servers handling a high volume of emails and you want to take advantage of the shared DNS data caching provided by a central DNS server,
  • You cannot allow DNS traffic to any hosts.

Using External DNS Servers

The DNS servers used with ORF must meet the following requirements:

  • They must support recursion
    Recursion means the DNS server returns the query result in a single step instead of redirecting ORF to the root DNS servers. This feature in enabled by default in Microsoft® DNS servers. Disabled recursion will lead to diminished spam filtering performance and a very high number of false positives in ORF.
  • They should be on the local network or on the ORF computer
    Using ISP DNS servers and third-party DNS resolution services (such as OpenDNS or Google Public DNS) is discouraged. These servers aggregate traffic from many sources and may get banned for exceeding the free traffic limitations imposed by many DNS Blacklists and SURBLs, resulting in diminished spam filtering performance in ORF.
  • They should not use forwarders (e.g. ISP DNS servers)
    If your configured forwarder is the an ISP DNS server or a third-party DNS resolution service, you will run into the same issue as in the previous point. Instead, configure the server to use root hints.
  • They should not be the DNS servers which support your Active Directory
    Occasionally, ORF may need to query the records of your own domain (e.g., for the SPF test). If your internal AD domain name is the same as your public domain name (e.g., domain.com, instead of domain.local or domain.internal), ORF may get different DNS information than the publicly available (split horizon problem). This may cause false positives or other issues.

The easiest way to comply with the above mentioned requirements is to install Microsoft® DNS Server on the computer where ORF is deployed. This software is part of Windows® Server and can be added as a server role, see this article for detailed instructions.

Other DNS recommendations

We do not recommend using more than 2 DNS servers in ORF. It is also advised to keep DNS query timeout low (no more than the default 8 seconds). Using too many DNS servers with high timeout values will result in unexpectedly long email checks when your DNS servers are down, as ORF will wait for each DNS-based test to time out. Sender will give up the delivery attempt eventually, and you may lose legitimate emails.

DNS Settings

Click the DNS Settings button to configure DNS access in ORF. A brief summary of the current DNS settings is displayed below the button.

For detailed information, please see the DNS Settings section.

Health Check

Click the Health Check button to perform a test of the DNS access parameters you specified for ORF.

For more information, see the DNS Health Check section.

Copyright © Vamsoft Ltd. 2024. All rights reserved. Document ID adm-dns, version 2.