Using a public name server such as 1.1.1.1 or 8.8.4.4 has become the norm, but if you’re running an email server, this may lead to some trouble.
You see, you can’t run an email server if you don’t use Spamhaus. There are other solutions too, but software such as Spamhaus and Spam Assassin are key to success.
The problem is if you’re using an “open resolver”, also known as :
In the industry, this specific issue is most precisely called “Query Attribution Failure” or an “Unattributed DNS Query.”
While users often say “Open Resolver,” the precise terminology used by DNSBL providers (like Spamhaus, SURBL, or Barracuda) and mail administrators in 2026 is:
1. Shared Public Resolver (The Technical Classification)
This refers to the fact that you are using a Shared Infrastructure (like Cloudflare 1.1.1.1 or Google 8.8.8.8). Since thousands of different entities send queries through those same egress IPs, Spamhaus cannot “attribute” the query to a specific user. They call this a “Public Mirror” access violation.
2. Lack of Query Attribution
This is the core of the problem. Spamhaus wants to know exactly who is asking for the data to prevent “scraping” or excessive free usage by large companies. When you use 1.1.1.1, you are anonymous to them. Therefore, you have a “Failure of Attribution.”
3. Indirect Querying
In mail server logs, this is often referred to as Indirect Querying. Instead of your Mail Transfer Agent (MTA) talking directly to the DNSBL’s root, it is using a “middleman” (the public resolver).
How to test
dig +short 2.0.0.127.zen.spamhaus.org
127.255.255.254
root@ns3:~# resolvectl status | grep “DNS Servers”
DNS Servers: 127.0.0.1 ::1
DNS Servers: 127.0.0.1 ::1
root@ns3:~# host $(hostname -I | awk ‘{print $1}’)
a.b.c.d.in-addr.arpa domain name pointer ns3.vander.host.
127.255.255.254
root@ns3:~# resolvectl status | grep “DNS Servers”
DNS Servers: 127.0.0.1 ::1
DNS Servers: 127.0.0.1 ::1
root@ns3:~# host $(hostname -I | awk ‘{print $1}’)
a.b.c.d.in-addr.arpa domain name pointer ns3.vander.host.
dig +short -x IPv4 and IPv6 and make sure there is reverse.
# dig +short txt iptest.whois.dnscontest.cleanbrowsing.org
“CleanBrowsing Whois: Datacenter: dns-edge-europe-frankfurt5, Destination:185.228.168.10, ClientIP: a.b.c.d”
root@ns3:~# cat /etc/bind
bind/ bindresvport.blacklist
root@ns3:~# cat /etc/bind/named.conf.options
acl “trusted” {
127.0.0.1;
};
options {
directory “/var/cache/bind”;
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0’s placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
// eugenevdm 15 Apr 2023 copied this from ns4, but not further down than comments on ns4
// also noted on NS4 “allow-transfer” and “also-notify” which isn’t here
allow-new-zones yes;
// allow recursion only for localhost and other select IPs
allow-recursion { trusted; };
#allow-query { trusted; };
allow-query { any; }; // allow everyone to query authoritative zones
allow-query-cache { trusted; };
recursion yes;
};
Get ready for a shit show. You’ll probably need DQS.