From 6733a172d77480e1cbc919125c7d9b7b7fd467ac Mon Sep 17 00:00:00 2001
From: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Date: Sun, 31 Mar 2024 04:14:02 +0200
Subject: [PATCH] docs: add FAQ entry about DNS servers and drop feature
 request on custom DNS servers for Rspamd (#3966)

* add FAQ entry about DNS servers

I also opted for including a quote from @polarthene which illustrates
how DNS servers are a difficult topic and should not be DMS'
responsibility.

* link to DNS FAQ from Rspamd page & drop feature request

The feature request annotation has been removed because we decided it's
not DMS responsibility to ensure correctly working DNS servers.
---
 docs/content/config/security/rspamd.md |  8 +++-----
 docs/content/faq.md                    | 13 ++++++++++++-
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/docs/content/config/security/rspamd.md b/docs/content/config/security/rspamd.md
index 5cb901b7..fd0fe25e 100644
--- a/docs/content/config/security/rspamd.md
+++ b/docs/content/config/security/rspamd.md
@@ -94,11 +94,7 @@ Rspamd provides a [web interface][rspamd-docs::web-interface], which contains st
 
 ### DNS
 
-DMS does not supply custom values for DNS servers to Rspamd. If you need to use custom DNS servers, which could be required when using [DNS-based black/whitelists](#rbls-realtime-blacklists-dnsbls-dns-based-blacklists), you need to adjust [`options.inc`][rspamd-docs::basic-options] yourself.
-
-!!! tip "Making DNS Servers Configurable"
-
-    If you want to see an environment variable (like `RSPAMD_DNS_SERVERS`) to support custom DNS servers for Rspamd being added to DMS, please raise a feature request issue.
+DMS does not supply custom values for DNS servers (to Rspamd). If you need to use custom DNS servers, which could be required when using [DNS-based deny/allowlists](#rbls-real-time-blacklists-dnsbls-dns-based-blacklists), you need to adjust [`options.inc`][rspamd-docs::basic-options] yourself. Make sure to also read our [FAQ page on DNS servers][docs::faq::dns-servers].
 
 !!! warning
 
@@ -270,3 +266,5 @@ While _Abusix_ can be integrated into Postfix, Postscreen and a multitude of oth
 
 [docs::dms-volumes-config]: ../advanced/optional-config.md#volumes-config
 [docs::dms-volumes-state]: ../advanced/optional-config.md#volumes-state
+
+[docs::faq::dns-servers]: ../../faq.md#what-about-dns-servers
diff --git a/docs/content/faq.md b/docs/content/faq.md
index 6b1782e3..4add0589 100644
--- a/docs/content/faq.md
+++ b/docs/content/faq.md
@@ -79,6 +79,14 @@ volumes:
 
 Optionally, you can set the `TZ` ENV variable; e.g. `TZ=Europe/Berlin`. Check [this list](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) for which values are allowed.
 
+### What About DNS Servers?
+
+Properly working DNS servers are crucial for differentiating spam from legitimate e-mails. Records like `SPF`, `DKIM` and `DMARC` records, as well as working name (resolving `A` records) and reverse name (resolving `PTR` records) resolution ensures legitimate e-mails arrive while e-mails that are more likely phishing and spam do not.
+
+Anti-spam measures (like SpamAssassin or Rspamd) make use of DNS block lists. To learn more check out our [Rspamd documentation on this topic][docs::rspamd-rbl-dnsbl]. In case you want to utilize RBL/DNSBLs, you need a recursive DNS resolver (_not big custom resolvers like Cloudflare, Quad9, Google, etc._).
+
+DMS does not integrate support for an internal DNS service as this is a [responsibility that is sensitive to the host environment][gh-discussion::dms-avoid-maintaining-internal-dns]. You can configure internal services within DMS to use your own managed DNS server, or configure for such at the host or container level (_such as with [`compose.yaml`][docker-compose::docs::config-dns]_).
+
 ### What is the file format?
 
 All files are using the Unix format with `LF` line endings. Please do not use `CRLF`.
@@ -376,7 +384,7 @@ The default setup `@local_domains_acl = ( ".$mydomain" );` does not match subdom
 
 Put received spams in `.Junk/` imap folder using `SPAMASSASSIN_SPAM_TO_INBOX=1` and `MOVE_SPAM_TO_JUNK=1` and add a _user_ cron like the following:
 
-!!! example 
+!!! example
 
     **NOTE:** This example assumes you have a [`/var/mail-state` volume][docs::dms-volumes-state] mounted.
 
@@ -482,6 +490,7 @@ $spam_quarantine_to       = "quarantine\@example.com";
 
 [fail2ban-customize]: ./config/security/fail2ban.md
 [docs::dms-volumes-state]: ./config/advanced/optional-config.md#volumes-state
+[docs::rspamd-rbl-dnsbl]: ./config/security/rspamd.md#rbls-real-time-blacklists-dnsbls-dns-based-blacklists
 [docs-maintenance]: ./config/advanced/maintenance/update-and-cleanup.md
 [docs-override-postfix]: ./config/advanced/override-defaults/postfix.md
 [docs-userpatches]: ./config/advanced/override-defaults/user-patches.md
@@ -495,4 +504,6 @@ $spam_quarantine_to       = "quarantine\@example.com";
 [github-issue-1405-comment]: https://github.com/docker-mailserver/docker-mailserver/issues/1405#issuecomment-590106498
 [github-issue-1639]: https://github.com/docker-mailserver/docker-mailserver/issues/1639
 [github-issue-1792]: https://github.com/docker-mailserver/docker-mailserver/pull/1792
+[gh-discussion::dms-avoid-maintaining-internal-dns]: https://github.com/orgs/docker-mailserver/discussions/3959#discussioncomment-8956322
+[docker-compose::docs::config-dns]: https://docs.docker.com/compose/compose-file/compose-file-v3/#dns
 [hanscees-userpatches]: https://github.com/hanscees/dockerscripts/blob/master/scripts/tomav-user-patches.sh