1 of 1 people found this helpful
You're probably better off finding a mail filtering service that has actual networking clue rather than jumping through these hoops. In addition to having over 80 IPs to which that hostname resolves, they have their TTL set to only 300 seconds. This isn't going to work out well for them. They're going to DDoS themselves with that kind of nonsense, it doesn't scale.
Using DNS to populate an 80-plus entry ACL in a firewall only to throw it away every five minutes simply isn't good practice. Populating firewall ACLs with a phonebook-sized list of A records is not what DNS is for. They are doing something fundamentally broken and telling the rest of the world how to implement workarounds for it.
And, at least for the TA900 series, Adtran doesn't like this at all.
Error(RCODE - name error): Exhausted all available options to resolve host.
Cisco won't be happy either. It will populate the ACL with the first match and cache it until the next reboot.
Totally agree with your assessment of the networking problems they have setup. Had not checked that TTL, wow.
So I was able to get them to force our email through a smaller subset of subnets, kind of. Instead of that huge list they provided 4 subnets /24 of possible sending IP's so I only had to enter those subnets although that still means they are saying they might send email through as many as 1000 IP's.