Set up a local recursive DNS resolver on IEC #29
Description
Some of the Spam Assassin checks rely on DNS based block lists. These are currently failing with responses like:
* 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The
* query to Validity was blocked. See
* https://knowledge.validity.com/hc/en-us/articles/20961730681243 for
* more information.
* [87.251.87.216 listed in sa-trusted.bondedsender.org]
* 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query
* to Validity was blocked. See
* https://knowledge.validity.com/hc/en-us/articles/20961730681243 for
* more information.
* [87.251.87.216 listed in sa-accredit.habeas.com]
* 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query
* to Validity was blocked. See
* https://knowledge.validity.com/hc/en-us/articles/20961730681243 for
* more information.
* [87.251.87.216 listed in bl.score.senderscore.com]
Currently iec is set up to use DNS resolvers provided by Binary Lane, so our requests would be mixed in with every other customer, which seems to exceed the usage limits.
One solution to this would be to run our own DNS resolver on IEC: then our requests would be separate and hopefully within the free usage tier.
We're already running knot as an authoritative DNS server for the plug.org.au domain, which will not do recursive look ups. We probably don't want to change that.
We could install a second one like knot-resolver bound to a localhost IP.