I have the DNS Security Service and it is set to sinkhole various malicious domains, including newly registered ones. The problem is that our on-premise spam filter tries to do lookups against the sending domain when we receive email, and I believe that the lookups for the MX records and maybe TXT records, etc. My anti-Spyware policy is set to sinkhole newly registered domains. We found that all DNS lookups against the sending domain were returning zero results. Kind of like the action is block instead of sinkhole.
The result is that my span filter was really slowing down waiting for DNS results that wouldn't ever arrive. This was slowing down normal mail delivery by hours.
Obviously I don't want to disable DNS Security completely. I am also having problems sending email to some domains that are showing as parked, etc. We have put those domains in as exceptions.
Is there a way to minimize impact of DNS Security on mail operations? I have a ticket open with support, and they're saying that the service is working properly (I never said it wasn't). This is a bit more of a design type question. For example, can I allow TXT and MX record lookups while sinkhole for other A records?
The only other think I can think of is to set my spam filter to use different DNS servers, and to set the DNS Security policy for that specific DNS traffic to alert only.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!