From beb8ca746202af19a9664a80b16b8d7a5a74c75a Mon Sep 17 00:00:00 2001
From: georglauterbach <44545919+georglauterbach@users.noreply.github.com>
Date: Sat, 30 Mar 2024 11:32:55 +0100
Subject: [PATCH] add FAQ entry about DNS servers

I also opted for including a quote from @polarthene which illustrates
how DNS servers are a difficult topic and should not be DMS'
responsibility.
---
 docs/content/faq.md | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/docs/content/faq.md b/docs/content/faq.md
index 6b1782e3..b1a00293 100644
--- a/docs/content/faq.md
+++ b/docs/content/faq.md
@@ -79,6 +79,18 @@ volumes:
 
 Optionally, you can set the `TZ` ENV variable; e.g. `TZ=Europe/Berlin`. Check [this list](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) for which values are allowed.
 
+### What About DNS Servers?
+
+Properly working DNS servers are crucial for differentiating spam from legitimate e-mails. Records like `SPF`, `DKIM` and `DMARC` records, as well as working name (resolving `A` records) and reverse name (resolving `PTR` records) resolution ensure legitimate e-mails arrive while e-mails that are likely phishing and spam do not.
+
+Moreover, anti-spam measures (like SpamAssassin or Rspamd) make use of DNS block lists. Check out our [Rspamd documentation on this topic][docs::rspamd-rbl-dnsbl] to learn more about this topic. In case you want to utilize RBL/DNSBLs, you need a recursive DNS resolver, and do not use big custom resolvers (like Cloudflare, Quad9, Google, etc.).
+
+DMS does not support custom DNS servers via environment variables because, on the one hand, DNS is a difficult to maintain topic, and on the other hand, most environments already provide options for using custom DNS servers.
+
+??? quote "DNS Servers Should Not be DMS' Responsibility"
+
+    It's not just Docker vs K8s, as the OS can play a role too adding complexity. Linux may be using `systemd-resolved`, a local custom DNS service (or external one like with PiHole), [a] VM hypervisor can influence that too IIRC, cloud vendors often use NetPlan which at least with Vultr I found annoying with it's reactive behaviour each time a container spun up introducing a new IP, VM guests resuming from suspend I was finding containers no longer could resolve DNS until restarting the Docker daemon, along with other side-effects like from kernel tunables, glibc/nss, /etc/hosts and related configs, chroot (we had a container issue related to this with Postfix back when it used chroot), Windows you've got WSL2 and it's network differences between the host, the WSL2 VM using the Docker container and the actual private WSL2 VM managed by docker, similarly macOS with it's own VM wrapper and drivers has had networking issues.
+
 ### What is the file format?
 
 All files are using the Unix format with `LF` line endings. Please do not use `CRLF`.
@@ -376,7 +388,7 @@ The default setup `@local_domains_acl = ( ".$mydomain" );` does not match subdom
 
 Put received spams in `.Junk/` imap folder using `SPAMASSASSIN_SPAM_TO_INBOX=1` and `MOVE_SPAM_TO_JUNK=1` and add a _user_ cron like the following:
 
-!!! example 
+!!! example
 
     **NOTE:** This example assumes you have a [`/var/mail-state` volume][docs::dms-volumes-state] mounted.
 
@@ -482,6 +494,7 @@ $spam_quarantine_to       = "quarantine\@example.com";
 
 [fail2ban-customize]: ./config/security/fail2ban.md
 [docs::dms-volumes-state]: ./config/advanced/optional-config.md#volumes-state
+[docs::rspamd-rbl-dnsbl]: ./config/security/rspamd.md#rbls-real-time-blacklists-dnsbls-dns-based-blacklists
 [docs-maintenance]: ./config/advanced/maintenance/update-and-cleanup.md
 [docs-override-postfix]: ./config/advanced/override-defaults/postfix.md
 [docs-userpatches]: ./config/advanced/override-defaults/user-patches.md