It would be useful to have a MX Record Whitelist category that the community can build up. A common side effect of using OpenDNS Domain/Category Blocking is the blocking of some mail flow to blocked sites,(if your mail server is using your OpenDNS account), and the domains' MX record isn't very unique.
8 Comments
8 Comments
Who voted for this idea
Comments
To clarify my idea submission, I have a limited whitelist of MX records that I have been maintaining that I could submit to a MX Whitelist category, or the like. Many of the webmail sites I added to Domain Blocking were also causing mail flow to be blocked because of the domain name being included in the MX record. For example, hotmail.com.
Possible solution would be to not include your mail server in the network setup but still use OpenDNS for DNS, which would not be content filtered. It only does filtering if the network is registered. Or setup the network but don't have any of the filtering option on.
@vsnyder- True, that would be ideal solution. But for those that don't, would be nice. ;)
Rather than maintaining a whitelist, why not simply implement an option "do not block lookups for MX/mail entries".
It would be *reasonably* common that even though yo're trying to block people from "getting to" certain sites, you may still need to be able to email those sites (eg for admin/abuse purposes)
The problem is that MX-records reference A-records. So for instance the MX record for pornsite.com might reference some A-records as follows:-
10 mail.pornsite.com.
20 www.pornsite.com.
Now the A-records can refer to mail servers or webservers or both.
I think the only real work around is to have the mail server reference a DNS that is unfiltered. It would be good if OpenDNS offered an extra unfiltered DNS server for this purpose in case you only have a single public IP address submitting the requests.
Another issue related to mail servers, is looking up SPF, DK, and DKIM records. One way to solve that would be to allow the looking up of TXT records. Has anyone else run into this?
I also had problems with sending mail to recipients of blocked domains but found the easiest way to work around it was to change the SMTP settings in exchange to use a public DNS server to resolve the domain rather than using OpenDNS to do it. I now have MailMarshal and found that the same simple solution works well also. Mail goes straight out of our organisation without incident and the network (including the servers) is using OpenDNS on the net. you can if you like just whitelist the MX records but there is no need to. This website has a handy tool for it... http://webtools.live2support.com/nt_mxrecords.php
hope this helps.
Sign in to comment or register here.
I can see how this may be useful. For example, if I wanted to email someone@questionablesite.com, mail.questionablesite.com should still be resolvable.
Most sites would probably have separate servers for mail and WWW.
Suggestion to OpenDNS: This could be solved by having OpenDNS return only IP addresses when you dig for the MX record of a domain from your network, rather than a hostname.