Configuring a DNS resolver for enhanced performance
For performance and reliability reasons, it is advised to use a dedicated caching recursive DNS resolver for your filtering needs. To keep it simple, we will refer to this as a “DNS resolver”.
There are several publicly available DNS resolvers, including Google DNS (126.96.36.199), Quad 9 DNS (188.8.131.52), or Cloudflare DNS (184.108.40.206). However, we do not recommend using these resolvers as there is a risk that you could be subject to rate-limits on the number of queries you are sending. If you still want to use a public DNS resolver, you will need to use the Spamhaus Data Query Service (DQS), not the data made available via the public mirrors.
Whether you are using an MTA like Postfix, or you run Spamassassin or rspamd on a standalone machine, it is recommended to use a dedicated DNS resolver for that filtering instance.
When dealing with blocklist queries, the most effective way to improve performance for any DNS resolver, is to disable the DNS privacy enhancement - QNAME minimization. This privacy feature significantly increases the number of queries sent to authoritative nameservers, resulting in much slower lookup times for deeply-nested lookups. Considering all blocklist queries are deeply nested, they are particularly affected. Furthermore, there is no QNAME minimization privacy gain for blocklist lookups, only a performance loss, as all queries are sent to the same nameserver.
In our opinion, disabling QNAME minimization is a temporary stop-gap measure. It should only be necessary until we identify a solution to isolate disabling QNAME minimization for deep lookups only, where there is no privacy benefit (such as RBL lookups). There are, however, DNS resolvers that allow you to configure when QNAME minimization should be enabled or disabled, for example, Knot resolver, see below.
We are working closely with the DNS community to find an alternative solution but until then, we recommend disabling QNAME minimization.
How to configure DNS resolvers for enhanced performance
In this section you will find guidelines to configure the most common DNS resolvers to enhance performance.